User TLS client certificate authentication - inconsistent DN string representation with LDAP
by Peck, Michael A
Hello,
I’ve configured Keycloak to authenticate users using TLS client certificate authentication.
I’ve also configured Keycloak to synchronize users with my LDAP server.
I’d like to match the TLS client certificate’s Subject DN to the Subject DNs synchronized from my LDAP server (which are stored by Keycloak in each user’s LDAP_ENTRY_DN attribute).
I’ve set that up, but am running into an issue that Keycloak appears to have inconsistent string representations of DNs between those two methods - so the Subject DNs from the TLS client certificate and the LDAP server aren’t matching as I was expecting.
The TLS client certificate DNs look like this:
CN=Peck Michael, OU=People, DC=test, DC=net
While the LDAP_ENTRY_DN attribute is formatted like this:
cn=Peck Michael,ou=People,dc=test,dc=net
It looks to me that the TLS client certificate DN string representation is coming from the standard Java X500Principal class used by calls to X509Certificate.getSubjectDN().getName() in keycloak/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java and the LDAP_ENTRY_DN string representation is coming from the toString method in keycloak/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java.
I modified the LDAPDn class’s toString method to follow the same format as used in the TLS client certificate DNs, and authentication works for me now.
Would the Keycloak project consider accepting a pull request to change the way LDAPDn formats DNs as strings?
(However I have not checked if this would impact other uses of the LDAPDn class within Keycloak or cause problems with upgrading existing deployments?)
The suggested change follows:
diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java b/federation/ldap/src/main/
index 39e7d97..2f8c805 100644
--- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java
+++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java
@@ -87,9 +87,9 @@ public class LDAPDn {
if (first) {
first = false;
} else {
- builder.append(",");
+ builder.append(", ");
}
- builder.append(rdn.attrName).append("=").append(rdn.attrValue);
+ builder.append(rdn.attrName.toUpperCase()).append("=").append(rdn.attrValue);
}
return builder.toString();
Thank you,
Michael Peck
The MITRE Corporation
5 years, 9 months
Authentication SPI - Pinning the IDP
by gambol
Hiya
Hopefully someone know's a way around this ..
We have a requirement to pin a keycloak client to a specific group of login
options i.e. they can only login via a social provider and not a local
username/password, BUT we also wish to allow certain users the ability to
override the behavior. I mocked up authenticator which used the
IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME checked it against the a
configurable list for the authenticator and also looked for a user override
attribute. Now on first login that works fine, but as the access token
comes up for refresh the IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME is
not retained (i guess because it's now a sso session refresh and not a
login) and so the authenticator throws the error message.
Is it possible to hook into login only? .. Anyone think of another way
around it? :-) .. I tried using SetClientNotes / SetAuthNote to retain the
logged in provider, but that doesn't appear to work either.
Disclaimer: I know the official stance would be the IDP provides
authentication only with authorization handled by the application end, but
in many case's third party applications can't support this .. so was hoping
we could control it at source.
Rohith
5 years, 9 months
Make theme properties available in email templates
by Guilhem Lucas
Hello,
I need to have theme properties available in Freemarker email templates
(like in login and account theme).
I overrided FreeMarkerEmailTemplateProvider to add them in a new attribute
"properties", but I think it could be useful to have it by default in
Keycloak.
Is it possible to do it? If necessary I can create a pull request.
Thank you.
Guilhem Lucas
5 years, 10 months
Questions about adding new identity providers
by Wladislaw Mitzel
Hi all,
How is the addition of new identity providers handled in this project? I'd love to have a vk.com integration in keycloak. After some search, I've found this pull request [1] which adds PayPal as a new IdP. I think it's a pretty good "blueprint" of how to add a new IdP. I plan to give it a try and implement vk.com. This raises the following questions:
1) Is this implementation of a vk.com IdP something the project is interested in?
2) Does the answer to 1) apply to all IdPs? I mean vk.com is a quite large social network. What about some less known websites providing OAuth2 authentication. Would *any* IdP be added to the project? Are there certain criteria from which you can decide?
3) What do you think about a feature which would enable to "configure" arbitrary OAuth2 Providers as IdP using the Admin Console? To me most of the implementations of org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider look pretty similar. The main differences are how to interpret the responses of the IdP: I wonder whether this could be generalised.
I look forward to your answers,
Kind Regards,
Wladislaw
[1] https://github.com/keycloak/keycloak/pull/4449
5 years, 11 months
Questions around keycloak IdP initiated flow
by Bhavana Motwani
Hi all
We are using keycloak 4.5.0 for SP-initiated and IdP-initiated auth flows.
We are using Auth0 as the external IdP for test purposes.
We have managed the SP-initiated flow successfully. But we are facing
issues with IdP initiated flow. I was hoping you could help.
1. Will the external IdP need two separate clients to connect to our
keycloak instance, one for SP-initiated and other for IdP. PFA the metadata
we generated for SP-initiated flow. The SingleLogoutService.Location and
AssertionConsumerService.Location are '
https://shaktimaanhub.bsstag.com/auth/realms/browserstack/broker/oracle-s...
'
But, for IdP initiated flow, we are having to replace the above with '
https://shaktimaanhub.bsstag.com/auth/realms/browserstack/broker/oracle-s...
'
This would result in 2 clients on the external IdP side.
Is there a way to avoid this?
2. With the IdP initiated flow, we are also facing issues with backchannel
logout. It gives a certificate issue. What certificate does keycloak
expect? The SP client's or the external IdP's?
Any help will be appreciated!
Thank you once again.
5 years, 11 months
Token Verifier behaviour change since 4.4.0.Final
by Арсений Красеньков
Hello everyone!
I recently discovered undocumented behaviour change of Token Verification provider (ex RSATokenVerifier) starting from Keycloak ver. 4.4.0.Final caused by https://issues.jboss.org/browse/KEYCLOAK-7560. In short, TokenVerifier now by default does not perform check of token expiration. This causes, for example, successful responses for Userinfo requests even if token is being expired.
Because this change was not documented I consider it as a bug and would like to create an issue.
Any thoughts on this point?
Sincerely,
Arseny.
5 years, 11 months
[keycloak-gatekeeper] Defense against cookie replay
by BIDON Frederic
Hello all
I am working on a hybrid use-case in which the API gateway (keycloak-gatekeeper) checks trafficfrom (i) trusted server-side apps (e.g. serving server-based UIs) and (ii) browser apps (e.g. react JS apps).
With case (i), traffic is authenticated against a bearer token in header, which is never exposed to the end user-agent.With case (ii), authentication is carried out with encrypted, httpOnly, Secure cookies.
I am fine with this setup, but for the classical cookie replay attack (however, this is already strongly mitigated by the httpOnly flag, but not entirely satisfactory).
So I have been experimenting a bit with introducing an automatic CSRF mechanism in gatekeeper, based on gorilla/csrf package.
With CSRF enabled on a per protected resource basis, another encrypted cookie is carried back and forth to store the CSRF state and a header returned to the client. Obviously, CSRF check is disabled when a bearer token is present.
This forces the browser app to add a volatile CSRF token every time it calls a mutable resource (e.g. with POST, PUT, DELETE) relayed by the gateway.
I am currently polishing my POC with this feature and would be happy to contribute it as a PR.
Pieces of advice, feedback and opinions are welcome.
Cheers,
Frederic
5 years, 11 months
IdP initiated flow issues
by Bhavana Motwani
Hi all,
We are using Keycloak as a SP.
So far we have done the following:
- Configured an external IDP (eg. auth0) to broker the authentication in
a realm.
- Created an open-id connect client in the same realm
- Using the keycloak-connect node lib in our web application to connect
to client.
- We are successfully able to do a SP initiated SSO authentication.
Facing issues with IDP initiated SSO
- Do we have to create a client in our Keycloak? if yes what will be the
changes.
- What will be the possible changes on the IDP side that we have
brokered. We are trying with Auth0.
- this is the link we are using :
https://www.keycloak.org/docs/4.5/server_admin/index.html#idp-initiated-l...
, but documentation is not very clear.
Thank you for the help
5 years, 11 months