July 2017 - keycloak-dev - Jboss List Archives

Wildcard for Valid Redirect URI Hostname

by Josh Cain

Per KEYCLOAK-3585: <https://issues.jboss.org/browse/KEYCLOAK-3585> Currently, valid redirect URI hostnames allow for wildcards at the end like so: http://www.redhat.com/* I'm managing several environments where clients need 'n' number of available redirect URI's with different hostnames, I.E. http://developer1.env.redhat.com http://developer2.env.redhat.com http://developer3.env.redhat.com Would really help to have the ability to wildcard hostnames too, I.E.: http://*.env.redhat.com I've submitted #3241 <https://github.com/keycloak/keycloak/pull/3241> to address this issue, but there seem to be some concerns about allowing wildcards in other parts of the URL. See the PR for a more fleshed out discussion, but wanted to start a thread here on the mailing list. Particularly with respect to: - Does anyone have need of this feature or would find it useful? - Should this kind of wildcard be allowed as a configuration option by Keycloak? Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 256-452-0150

2 years, 5 months

5
13
0 / 0

Authenticating Desktop Applications with Keycloak and the keycloak-installed adapter

by Thomas Darimont

Hello folks, I played a bit with the undocumented? [0] keycloak-installed adapter [1] for integrating desktop applications with Keycloak SSO and found some issues with it, which I'd like to share. Small explanation for those who are reading the list but don't know the adapter... [2] First some general notes / suggestions: Is the keycloak-installed adapter something that will stay in keycloak or was this just a PoC? In the former case I think there are some things that could be improved or extended a bit: - Allow users to customize the locale used for the login pages opened by the adapter - Provide customizable response templates (perhaps by leveraging a provided ResourceBundle) - Allow to customize pages shown after login / logout served by the keycloak-installed adapter - Add support for TLS (with custom certificates) for https:// with localhost I noticed that some browsers (e.g. Chrome) show an error page when trying to redirect to the local mini-webserver after a successful login since the mini-webserver (...server-socket) embedded in the adapter doesn't respond with a valid HTTP response. With that fixed, it worked with all browsers I tested (IE, Firefox, Chrome). My current modifications of the keycloak-installed adapter (with HTTP response fixes and response customizations) are here: https://github.com/thomasdarimont/keycloak/commit/b8ee52a946e73503b1737f5... An extended example (using the the modified keycloak-installed adapter) can be found here: https://gist.github.com/thomasdarimont/c59c14f45ea2ee00d7b6fbe2c013c5f1 WDYT? Cheers, Thomas [0] Not mentioned here: https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java... [1] https://github.com/keycloak/keycloak/tree/master/adapters/oidc/installed [2] For those that haven't seen the adapter yet, it allows to authenticate against Keycloak from a desktop app (e.g. swing, javafx) by opening a desktop browser window where a user uses the regular keycloak login pages to login. The trick is now that login page is opened with redirect URL that points to a small local "web server" (server-socket) on a free ephemeral port which is started by the adapter. After logging in the mini web-server receives performs the authenorization code flow and eventually receives the tokens (access_token, refresh_token, id_token) which can then be used to call backend services from the client or retrieve new tokens A nice side effect of this is, that the desktop application never sees a users password and one can leverage existing SSO sessions. Btw. the google cloud cli uses the same approach to authenticate with gcp. The Keycloak repo contains a small example for this: https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...

3 years, 4 months

4
13
0 / 0

ProviderFactory::postDeploy?

by Dmitry

Hi, At the moment, the ProviderFactory::postInit() method is not called during hot (re)deployment of providers, only during server startup. This is considered a bug (see discussion in keycloak-user, KEYCLOAK- 5131 and PR #4282). Meanwhile, Marek and I have been discussing the problem of accessing data model from postInit (see the keycloak-user post). Turns out that the semantics should be significantly different depending on whether postInit() is called during server startup or hot deploy. In the first case, one should listen for PostMigrationEvent. In the second case, the event is not available and thus shouldn't be listened for. However, the provider should be able to somehow distinguish the cases. There are some hacks like analyzing current thread name, querying JNDI or Resteasy, but maybe we can come up with something more clean and simple? Marek has suggested that the new method should be introduced on the ProviderFactory interface, with empty default implementation (in order not to break the code). What do you think? Dmitry

3 years, 5 months

4
3
0 / 0

Renaming testsuite/integration to testsuite/integration-deprecated

by Stian Thorgersen

I would like to rename testsuite/integration to testsuite/integration-deprecated. This is to make it clear to external contributors that the testsuite is deprecated and new tests should be added to testsuite/integration-arquillian. I would also like to rename testsuite/integration-arquillian to testsuite/integration.

3 years, 8 months

4
6
0 / 0

token exchange

by Bill Burke

I've implemented a simple token exchange API [1] that allows you to exchange an access token created for one client to another client. The REST API follows the oauth token exchange api [2] very loosely. subject_token: a keycloak access token audience: takes a client id It then converts the access token created for one client and converts it to another. It lives under the token endpoint. The security model is as follows: * Authenticate calling client the same way as password grant. * The calling client must have service account enabled * Service account must have a realm role "token-exchanger" grant edto it or, it must have a client role "token-exchanger" granted to it. This exchanger client role is a role defined by the target client you are exchanging the token to. Is this a good security model? I'm thinking of not creating these roles right now and to enable support for exchange would require defining the roles specified above. Future work would be to have an additional subject_issuer and requested_issuer parameters. "subject_issuer" would match to a broker alias, so you could exchange a facebook token for a keycloak realm token. Same thing goes for "requested_issuer". This would allow you to exchange a Keycloak token for a facebook token or some other registered broker. [1] https://github.com/keycloak/keycloak/pull/4362 [2] http://www.ietf.org/id/draft-ietf-oauth-token-exchange-09.txt

3 years, 8 months

3
21
0 / 0

Proposal of using existing authentication and authorization server on behalf of keycloak browser-based authentication

by 乗松隆志 / NORIMATSU，TAKASHI

Hello. Previously, I had proposed the feature and its implementation of delegating authentication and authorization to an external existing server on behalf of keycloak's browser-based authentication mechanism, and had gotten advices that it is appropriate to use Identity Brokering for such the feature. I've re-implemented this feature again by Identity Brokering. The description and implementation of this feature is mentioned below. https://github.com/Hitachi/PoV-keycloak-delegate-authn-consent https://github.com/Hitachi/PoV-keycloak-delegate-authn-consent/tree/maste... It can delegate not only authentication but authorization(consent). Kindly review it and provide us some comment and advices. We would like to contribute this feature onto keycloak. Best Regards Takashi Norimatsu Hitachi, Ltd. --- From: Stian Thorgersen [mailto:sthorger@redhat.com] Sent: Thursday, June 29, 2017 6:23 PM To: 乗松隆志 / NORIMATSU，TAKASHI Cc: keycloak-dev(a)lists.jboss.org Subject: [!]Re: [keycloak-dev] Proposal of using existing authentication server on behalf of keycloak browser-based authentication There's an SPI to implement your own custom identity brokering provider [1]. [1] https://github.com/keycloak/keycloak/blob/master/server-spi-private/sr... On 29 June 2017 at 10:51, 乗松隆志 / NORIMATSU，TAKASHI <takashi.norimatsu.ws(a)hitachi.com> wrote: I need to use the authentication server without OIDC/OAuth2/SAMLv2 implementation as an external IdP, in order to integrate existing authentication system. (some commercial products supports such the case) I consulted identity broker's section in keycloak's manual below and found that if I use this feature the external IdP must support OIDC or SAMLv2. https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-b... Therefore, I realized it by using redirect based authentication flows. Can identity Brokering can support such the case? Aside from this, I'd like to contribute it to Community extensions and examples. Best Regards Takashi Norimatsu Hitachi, Ltd. --- From: Stian Thorgersen [mailto:sthorger@redhat.com] Sent: Tuesday, June 27, 2017 5:52 PM To: 乗松隆志 / NORIMATSU，TAKASHI Cc: keycloak-dev(a)lists.jboss.org Subject: [!]Re: [keycloak-dev] Proposal of using existing authentication server on behalf of keycloak browser-based authentication I'm not in favour of adding this. If it's using redirect based authentication flows it should be done through identity brokering, not authentication flows. It's also a very complex example that we don't want to maintain. We've also in the process of moving all examples away from the main Keycloak repository into a separate quickstart repository. On 27 June 2017 at 08:54, 乗松隆志 / NORIMATSU，TAKASHI <takashi.norimatsu.ws(a)hitachi.com> wrote: Hello. Previously, I had proposed the feature of delegating authentication to an external authentication server on behalf of keycloak's browser-based authentication mechanism. I've integrated this feature to keycloak's "examples" packages and send PR (https://github.com/keycloak/keycloak/pull/4260). Hope this PR is reviewed and merged as an example for combining some providers to customize keycloak. Detailed description of this feature is mentioned below. https://github.com/Hitachi/PoV-keycloak-authentication-delegation I am now engaging in integrating this feature to keycloak as product-base default providers, but encounter technical problems about writing arquillian. Would someone tell me how to resolve this problem? [Problem] - I could not find how to run an external authentication server(application running on wildfly 10) during each arquillian test cases. After resolving this problem and writing and running arquillian test cases, I'll send PR for this feature as product-base default providers. Best Regards Takashi Norimatsu Hitachi, Ltd. _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

3 years, 8 months

2
5
0 / 0

generic cli sso utility

by Bill Burke

I've developed a small command line utility around Keycloak Installed. The idea is that this utility performs a login with keycloak to obtain an access token. This utility saves the access and refresh token in a file (similar to how ssh does in .ssh). Then bash scripts can be used to export the access token as an environment variable so it can be used by other command line utilities. https://github.com/patriot1burke/keycloak/blob/master/adapters/oidc/insta... https://github.com/patriot1burke/keycloak/tree/master/adapters/oidc/cli-sso Eventually I'm thinking of creating a text/plain protocol with Keycloak server so that launching a browser or cutting/pasting between the command line window and browser isn't a requirement. It woudl be a plain text challenge response protocol. This would require a bit more work as it would require reworking all of our built in authenticators and required action plugins.

3 years, 8 months

5
11
0 / 0

WebSocket token validation

by David Klingenberg

Hi guys, we are using keycloak in our project and we need to use websockets. There is currently no official solution for keycloak - websocket integration, but there is a great library in hawkular for this purpose: https://github.com/hawkular/hawkular-accounts/tree/master/websocket-api I think it would be great if this could become part of keycloak. What do you think? I'm willing to contribute on it. Best Regards, David

3 years, 9 months

2
1
0 / 0

Do we care about reproducible builds?

by Stan Silvert

I'm asking this question about the community version of Keycloak. RH-SSO absolutely must be reproducible. The reason I ask is because we will soon stop checking node_modules into github. javascript libraries will be pulled in at build time. We will lock down the library versions with yarn, which means everything is theoretically reproducible as long as the public npm repo is stable. But if we want to be extra-sure, we can set up our own npm repo and archive it with each community release. WDYT? How much do we care about reproducible builds in community? Stan

3 years, 9 months

5
6
0 / 0

Blacklist Password Policy

by Thomas Darimont

Hello, I build a configurable Password Policy that allows to match a given password against a blacklist with easy to guess passwords that should be not allowed as user passwords. The 'BlacklistPasswordPolicyProvider' can be configured via the admin UI with a ";" delimited list of easy to guess passwords. If the user / or admin want's to change the password it is checked against the blacklist. A password list can be found here: https://github.com/danielmiessler/SecLists/tree/master/Passwords A blacklist is of course not a perfect solution but could still be useful for some users. Password blacklist would be compiled to a trie at startup (and on changes of the blacklist) for efficient lookups. WDYT? Cheers, Thomas

3 years, 9 months

4
11
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev July 2017