Authenticating Desktop Applications with Keycloak and the keycloak-installed adapter
by Thomas Darimont
Hello folks,
I played a bit with the undocumented? [0] keycloak-installed adapter [1]
for integrating
desktop applications with Keycloak SSO and found some issues with it, which
I'd like to share.
Small explanation for those who are reading the list but don't know the
adapter... [2]
First some general notes / suggestions:
Is the keycloak-installed adapter something that will stay in keycloak or
was this just a PoC?
In the former case I think there are some things that could be improved or
extended a bit:
- Allow users to customize the locale used for the login pages opened by
the adapter
- Provide customizable response templates (perhaps by leveraging a provided
ResourceBundle)
- Allow to customize pages shown after login / logout served by the
keycloak-installed adapter
- Add support for TLS (with custom certificates) for https:// with localhost
I noticed that some browsers (e.g. Chrome) show an error page when trying
to
redirect to the local mini-webserver after a successful login since the
mini-webserver
(...server-socket) embedded in the adapter doesn't respond with a valid
HTTP response.
With that fixed, it worked with all browsers I tested (IE, Firefox, Chrome).
My current modifications of the keycloak-installed adapter
(with HTTP response fixes and response customizations) are here:
https://github.com/thomasdarimont/keycloak/commit/b8ee52a946e73503b1737f5...
An extended example (using the the modified keycloak-installed adapter) can
be found here:
https://gist.github.com/thomasdarimont/c59c14f45ea2ee00d7b6fbe2c013c5f1
WDYT?
Cheers,
Thomas
[0] Not mentioned here:
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java...
[1] https://github.com/keycloak/keycloak/tree/master/adapters/oidc/installed
[2] For those that haven't seen the adapter yet, it allows to authenticate
against Keycloak
from a desktop app (e.g. swing, javafx) by opening a desktop browser window
where a user
uses the regular keycloak login pages to login.
The trick is now that login page is opened with redirect URL that points to
a small local
"web server" (server-socket) on a free ephemeral port which is started by
the adapter.
After logging in the mini web-server receives performs the authenorization
code flow and eventually receives the tokens (access_token, refresh_token,
id_token) which can then be
used to call backend services from the client or retrieve new tokens
A nice side effect of this is, that the desktop application never sees a
users
password and one can leverage existing SSO sessions.
Btw. the google cloud cli uses the same approach to authenticate with gcp.
The Keycloak repo contains a small example for this:
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...
6 years, 11 months
ProviderFactory::postDeploy?
by Dmitry
Hi,
At the moment, the ProviderFactory::postInit() method is not called
during hot (re)deployment of providers, only during server startup.
This is considered a bug (see discussion in keycloak-user, KEYCLOAK-
5131 and PR #4282).
Meanwhile, Marek and I have been discussing the problem of accessing
data model from postInit (see the keycloak-user post). Turns out that
the semantics should be significantly different depending on whether
postInit() is called during server startup or hot deploy. In the first
case, one should listen for PostMigrationEvent. In the second case, the
event is not available and thus shouldn't be listened for. However, the
provider should be able to somehow distinguish the cases. There are
some hacks like analyzing current thread name, querying JNDI or
Resteasy, but maybe we can come up with something more clean and
simple?
Marek has suggested that the new method should be introduced on the
ProviderFactory interface, with empty default implementation (in order
not to break the code). What do you think?
Dmitry
7 years
Renaming testsuite/integration to testsuite/integration-deprecated
by Stian Thorgersen
I would like to rename testsuite/integration to
testsuite/integration-deprecated. This is to make it clear to external
contributors that the testsuite is deprecated and new tests should be added
to testsuite/integration-arquillian.
I would also like to rename testsuite/integration-arquillian
to testsuite/integration.
7 years, 3 months
token exchange
by Bill Burke
I've implemented a simple token exchange API [1] that allows you to
exchange an access token created for one client to another client. The
REST API follows the oauth token exchange api [2] very loosely.
subject_token: a keycloak access token
audience: takes a client id
It then converts the access token created for one client and converts it
to another. It lives under the token endpoint.
The security model is as follows:
* Authenticate calling client the same way as password grant.
* The calling client must have service account enabled
* Service account must have a realm role "token-exchanger" grant edto it
or, it must have a client role "token-exchanger" granted to it. This
exchanger client role is a role defined by the target client you are
exchanging the token to.
Is this a good security model? I'm thinking of not creating these roles
right now and to enable support for exchange would require defining the
roles specified above.
Future work would be to have an additional subject_issuer and
requested_issuer parameters. "subject_issuer" would match to a broker
alias, so you could exchange a facebook token for a keycloak realm
token. Same thing goes for "requested_issuer". This would allow you to
exchange a Keycloak token for a facebook token or some other registered
broker.
[1] https://github.com/keycloak/keycloak/pull/4362
[2] http://www.ietf.org/id/draft-ietf-oauth-token-exchange-09.txt
7 years, 4 months
Proposal of using existing authentication and authorization server on behalf of keycloak browser-based authentication
by 乗松隆志 / NORIMATSU,TAKASHI
Hello.
Previously, I had proposed the feature and its implementation of delegating authentication and authorization to an external existing server on behalf of keycloak's browser-based authentication mechanism, and had gotten advices that it is appropriate to use Identity Brokering for such the feature.
I've re-implemented this feature again by Identity Brokering. The description and implementation of this feature is mentioned below.
https://github.com/Hitachi/PoV-keycloak-delegate-authn-consent
https://github.com/Hitachi/PoV-keycloak-delegate-authn-consent/tree/maste...
It can delegate not only authentication but authorization(consent).
Kindly review it and provide us some comment and advices.
We would like to contribute this feature onto keycloak.
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
---
From: Stian Thorgersen [mailto:sthorger@redhat.com]
Sent: Thursday, June 29, 2017 6:23 PM
To: 乗松隆志 / NORIMATSU,TAKASHI
Cc: keycloak-dev(a)lists.jboss.org
Subject: [!]Re: [keycloak-dev] Proposal of using existing authentication server on behalf of keycloak browser-based authentication
There's an SPI to implement your own custom identity brokering provider [1].
[1] https://github.com/keycloak/keycloak/blob/master/server-spi-private/sr...
On 29 June 2017 at 10:51, 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws(a)hitachi.com> wrote:
I need to use the authentication server without OIDC/OAuth2/SAMLv2 implementation as an external IdP,
in order to integrate existing authentication system.
(some commercial products supports such the case)
I consulted identity broker's section in keycloak's manual below and found that if I use this feature the external IdP must support OIDC or SAMLv2.
https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-b...
Therefore, I realized it by using redirect based authentication flows.
Can identity Brokering can support such the case?
Aside from this, I'd like to contribute it to Community extensions and examples.
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
---
From: Stian Thorgersen [mailto:sthorger@redhat.com]
Sent: Tuesday, June 27, 2017 5:52 PM
To: 乗松隆志 / NORIMATSU,TAKASHI
Cc: keycloak-dev(a)lists.jboss.org
Subject: [!]Re: [keycloak-dev] Proposal of using existing authentication server on behalf of keycloak browser-based authentication
I'm not in favour of adding this. If it's using redirect based authentication flows it should be done through identity brokering, not authentication flows. It's also a very complex example that we don't want to maintain. We've also in the process of moving all examples away from the main Keycloak repository into a separate quickstart repository.
On 27 June 2017 at 08:54, 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws(a)hitachi.com> wrote:
Hello.
Previously, I had proposed the feature of delegating authentication to an external authentication server on behalf of keycloak's browser-based authentication mechanism.
I've integrated this feature to keycloak's "examples" packages and send PR (https://github.com/keycloak/keycloak/pull/4260).
Hope this PR is reviewed and merged as an example for combining some providers to customize keycloak.
Detailed description of this feature is mentioned below.
https://github.com/Hitachi/PoV-keycloak-authentication-delegation
I am now engaging in integrating this feature to keycloak as product-base default providers, but encounter technical problems about writing arquillian. Would someone tell me how to resolve this problem?
[Problem]
- I could not find how to run an external authentication server(application running on wildfly 10) during each arquillian test cases.
After resolving this problem and writing and running arquillian test cases, I'll send PR for this feature as product-base default providers.
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7 years, 4 months
generic cli sso utility
by Bill Burke
I've developed a small command line utility around Keycloak Installed.
The idea is that this utility performs a login with keycloak to obtain
an access token. This utility saves the access and refresh token in a
file (similar to how ssh does in .ssh). Then bash scripts can be used to
export the access token as an environment variable so it can be used by
other command line utilities.
https://github.com/patriot1burke/keycloak/blob/master/adapters/oidc/insta...
https://github.com/patriot1burke/keycloak/tree/master/adapters/oidc/cli-sso
Eventually I'm thinking of creating a text/plain protocol with Keycloak
server so that launching a browser or cutting/pasting between the
command line window and browser isn't a requirement. It woudl be a plain
text challenge response protocol. This would require a bit more work as
it would require reworking all of our built in authenticators and
required action plugins.
7 years, 4 months
Do we care about reproducible builds?
by Stan Silvert
I'm asking this question about the community version of Keycloak. RH-SSO
absolutely must be reproducible.
The reason I ask is because we will soon stop checking node_modules into
github. javascript libraries will be pulled in at build time.
We will lock down the library versions with yarn, which means everything
is theoretically reproducible as long as the public npm repo is stable.
But if we want to be extra-sure, we can set up our own npm repo and
archive it with each community release.
WDYT? How much do we care about reproducible builds in community?
Stan
7 years, 4 months
Blacklist Password Policy
by Thomas Darimont
Hello,
I build a configurable Password Policy that allows to match a given
password against
a blacklist with easy to guess passwords that should be not allowed as user
passwords.
The 'BlacklistPasswordPolicyProvider' can be configured via the admin UI
with a ";" delimited list of easy to guess passwords.
If the user / or admin want's to change the password it is checked against
the blacklist.
A password list can be found here:
https://github.com/danielmiessler/SecLists/tree/master/Passwords
A blacklist is of course not a perfect solution but could still be useful
for some users.
Password blacklist would be compiled to a trie at startup (and on changes
of the blacklist)
for efficient lookups.
WDYT?
Cheers,
Thomas
7 years, 4 months