Do we care about reproducible builds?
by Stan Silvert
I'm asking this question about the community version of Keycloak. RH-SSO
absolutely must be reproducible.
The reason I ask is because we will soon stop checking node_modules into
github. javascript libraries will be pulled in at build time.
We will lock down the library versions with yarn, which means everything
is theoretically reproducible as long as the public npm repo is stable.
But if we want to be extra-sure, we can set up our own npm repo and
archive it with each community release.
WDYT? How much do we care about reproducible builds in community?
Stan
6 years, 8 months
Blacklist Password Policy
by Thomas Darimont
Hello,
I build a configurable Password Policy that allows to match a given
password against
a blacklist with easy to guess passwords that should be not allowed as user
passwords.
The 'BlacklistPasswordPolicyProvider' can be configured via the admin UI
with a ";" delimited list of easy to guess passwords.
If the user / or admin want's to change the password it is checked against
the blacklist.
A password list can be found here:
https://github.com/danielmiessler/SecLists/tree/master/Passwords
A blacklist is of course not a perfect solution but could still be useful
for some users.
Password blacklist would be compiled to a trie at startup (and on changes
of the blacklist)
for efficient lookups.
WDYT?
Cheers,
Thomas
6 years, 8 months
Unexpected behavior: Obtaining new access tokens with an access token
by Bart Toersche
Hi,
I would like to report some unexpected behavior while requesting access-
and refresh token pairs. It is possible to obtain a new access- and refresh
token pair using only an access token. To describe this more thoroughly; If
someone obtained a valid access token s/he can obtain a new access- and
refresh token pair without ever knowing the refresh token.
The problem is that refresh tokens never leave the client except when
requesting a new one at the authorization server. However, the access token
is sent to resource servers for obtaining resources (obviously). But now a
resource server is actually able to obtain a new access- and refresh token
pair on behalf of the user as well, which was never the user's intention
(since it can keep a valid token indefinitely by refreshing it).
Of course, since the resource server doesn't have client credentials for
private clients it cannot obtain a new access- and refresh token pair for
those. However, it can do so for public clients as only their name is
known. (In fact, it is available in the "azp" claim of the access token.)
Steps to reproduce (I tested this with a clean setup of Keycloak
3.2.0-Final):
1. We will use the admin-cli client and the admin account. You can do this
with any client and account, but since this is already set up for this
particular example, it makes things a bit more easy.
2. Using the admin account, fetch a new access- and refresh token pair
using any grant type. We will be using the password grant:
curl --data "client_id=admin-cli&grant_type=password&username=<admin_
uname>&password=<admin_pw>" http://localhost:8080/auth/
realms/master/protocol/openid-connect/token
3. Grab the access_token value from the response and perform a refresh
grant using this access token:
curl --data "client_id=admin-cli&grant_type=refresh_token&refresh_
token=<grabbed_access_token>" http://localhost:8080/auth/
realms/master/protocol/openid-connect/token
4. You will now have a response including a new access- and refresh token
pair.
This unexpected behavior can be solved by either checking the "typ" claim
to be set to "Refresh", or, when time allows, using a different signing
secret for the access- and refresh tokens. I would prefer the latter
solution.
Thanks in advance,
Bart Toersche
6 years, 9 months
User Managed Access and UMA 2.0 Changes
by Pedro Igor Silva
Hey All,
Sorry for the long message, but I tried to highlight some important bits of
what I'm doing :) I'm not done yet, so here are the ideas I'm considering
....
I'm almost done with the initial changes to get the user managed access
bits of UMA.
Basically, this is about providing the backbone in order to support use
cases such as resource sharing, authorization flows and users capable of
managing their own resources.
A really interesting feature set for IoT use cases as well those looking
for giving more privacy control to their users (not only the security).
In a nutshell, we have now a new entity in our model:
* PermissionTicketEntity
This entity holds all information we need in order to know which
resource/scope was requested and when. Plus any additional claims the RS
wants to associated with a permission request.
This entity will allow us to perform:
* Queries to obtain the person/entity that need to approve a permission
request
* Queries to obtain the person/entity looking for access
* Queries to obtain the resources/scopes being requested
* For how long a permission is valid
* Which claims (contextual data pushed by the RS when issuing a permission
ticket) are associated with a permission request and need to be approved by
the owner and enforced by the RS.
As you know, the UMA flow starts with a client trying to access a resource
protected by a RS. At this moment the RS issues a *permission ticket* which
then is returned to the client to give him a chance to obtain the RPT
(token with the actual permissions) from the AS.
Two things here:
* Only resources that support "user/owner managed access" are supposed to
have permission tickets persisted
* The RS can set additional claims to the permission ticket in order to
provide contextual data for policies and let them take any decision
considering this data. E.g: I need to withdraw some money from my wife's
bank account, but she just want to let me do it if the amount is <= $100
dollars.
Basic sharing will be based on a simple approval/reject of a permission
request (permission ticket).
Please, let me know what you think.
Thanks.
6 years, 9 months
Keycloak and HAProxy
by Shankar_Bhaskaran
Hi ,
We have configured HAProxy as our load balancer and keycloak (3.0) as our SSO. We have configured the keycloak domain and secured our wars with keycloak for our web application.
In Haproxy we have provided the "forwardfor" option which introduces the header parameter -"X-Forwarded-For" and configured keycloak as given below to accept the header parameter as given below.
"<http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true"/>"
But still the redirect from keycloak is going to HAProxy machine and not to backend servers with our webapp.
Is there any help you can provide here
Regards,
Shankar
6 years, 9 months
(no subject)
by Thomas Darimont
Hello,
how can I add a new dependency to the keycloak modules/system/layers/base
when building
a server-distribution?
I need to add org.apache.commons:commons-collections4 for the PatriciaTrie
which I need for
my BlacklistPasswordPolicyProvider: [0]
I tried adding a dependency to keycloak/dependencies/server-all/pom.xml but
I still get
CNFEs if I try to run the server from the dist-build.
Caused by: java.lang.ClassNotFoundException:
org.apache.commons.collections4.trie.PatriciaTrie from [Module
"org.keycloak.keycloak-server-spi-private" from local module loader
@282ba1e (finder: local module finder @13b6d03 (roots:
/home/tom/dev/playground/keycloak/keycloak-3.3.0.CR1-SNAPSHOT/modules,/home/tom/dev/playground/keycloak/keycloak-3.3.0.CR1-SNAPSHOT/modules/system/layers/keycloak,/home/tom/dev/playground/keycloak/keycloak-3.3.0.CR1-SNAPSHOT/modules/system/layers/base))]
Cheers,
Thomas
[0]
https://github.com/thomasdarimont/keycloak/commit/59a84df2f70623f11bd4d78...
6 years, 9 months
