Re: [keycloak-dev] [keycloak-user] Trojan in Keycloak Javascript Adapter?
by Stian Thorgersen
Please try the files on https://www.microsoft.com/en-us/wdsi/filesubmission.
That will allow Microsoft to investigate the issue.
I've just submitted it myself and it comes back clean, so this seems to be
an issue in your environment. Maybe your computer is affected?
On 4 January 2018 at 15:52, Ariel Carrera <carreraariel(a)gmail.com> wrote:
> Hi, It still happen on my environment.
> The problem persists with the new version of today (3.4.3.Final).
>
> Any comments from the dev team? Could you check it?
>
> Maybe it's a false alarm but it could be a serious security problem.
>
> - Screenshot of Keycloak JS Adapter alert:
>
> [image: Imágenes integradas 1]
>
> - Screenshot of Keycloak distribution alert:
>
> [image: Imágenes integradas 2]
>
> - Screenshot of Virus Definitions Version:
> [image: Imágenes integradas 3]
>
> - Screenshot of Virus Definition Upgrade:
> [image: Imágenes integradas 4]
>
> - Screenshot of Keycloak JS Adapter alert again (with definitions up to
> date):
> [image: Imágenes integradas 5]
>
> Thanks,
>
> 2018-01-03 18:07 GMT-03:00 Ariel Carrera <carreraariel(a)gmail.com>:
>
> > Thanks Ramunas, I will check My Windows defender’s definition version to
> > compare with you. I have Windows 10 (64 bit) updated on December 2017.
> >
> >
> > El El mié, 3 ene. 2018 a las 17:45, Rumanas <ramunask(a)gmail.com>
> escribió:
> >
> >> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file
> >> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" folder
> >> with Windows Defender on Windows 10 - no issues found
> >> * checked for Windows updates. New update "Definition Update for Windows
> >> Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" was found and
> >> installed.
> >> * scanned again. No issues found.
> >>
> >> Ramūnas
> >>
> > --
> > Ariel Carrera
> >
>
>
>
> --
> Ariel Carrera
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
6 years, 1 month
FIDO UAF
by Stian Thorgersen
Anyone here interested in FIDO UAF? I'd be interested to have a
conversation about it.
6 years, 1 month
Updated release cadence
by Stian Thorgersen
As we've started working in 3 week sprints we are considering a new release
model for Keycloak.
What we are considering is doing a Beta release for every sprint, then for
every 4th sprint (each quarter) we plan to do a Final release.
For a beta release existing features will be considered stable, while new
features may not be ready for prime time. The recommendation will still be
to upgrade to always update to the latest release to receive the latest
security fixes and other fixes.
However, care should be taken before using new features in production until
a Final release is available.
Thoughts?
6 years, 1 month
Hot reload JBoss modules
by Adrian Gonzalez
Hello,
I developed a little Spi (org.keycloak.provider.Spi).
I tried to deploy it the usual way (mvn clean install wildfly:deploy), but it doesn't work.I need to deploy it as a JBoss module.
Is there a way to avoid restarting JBoss when redepoying a JBoss module ?
For the moment, I'm doing:
```mvn clean package$KEYCLOAK_HOME/bin/jboss-cli.sh --command="module remove --name=org.gonzalad.keycloak.idp.idp-service"$KEYCLOAK_HOME/bin/jboss-cli.sh --command="module add --name=org.gonzalad.keycloak.idp.idp-service --resources=target/idp-service-0.0.1-SNAPSHOT.jar --dependencies=javax.ws.rs.api,javax.persistence.api,org.hibernate,org.javassist,org.keycloak.keycloak-core,org.keycloak.keycloak-server-spi,org.keycloak.keycloak-server-spi-private,org.keycloak.keycloak-services,org.keycloak.keycloak-model-jpa,org.jboss.logging"$KEYCLOAK_HOME/bin/standalone.sh --debug```
Thanks,Adrian
6 years, 1 month
Brute force protection behaviour
by Hynek Mlnarik
Hi,
please help me clarify the expected behaviour of brute force protection. I
read the documentation [1] but I am still not 100% sure about it. I'm more
after intention rather than actual implementation.
1) When should the Failure Reset Time apply? After the first or after last
failed attempt?
2) Should failed login attempts counter be cleared after the first
successful login or only after failure reset time regardless of the
successful login?
3) Should login failures be counted while the account is locked?
4) Should unlocking account in admin console reset login failures counter?
In other words, what is expected behaviour of the following scenarios
(questions are in items marked with Q ->)? I intentionally don't suggest
any correct answer below myself.
Setup:
- Permanent lockout: Off
- Max Lock time: 15 mins
- Wait Time Increment: 1 min
- Failure Reset Time: 30 mins
= Scenario 1 =
1.1) User locks its account
1.2) Another 3 immediate failed login attempts while account is blocked
*Q -> *1.3) Check that after (1 or 3?) minutes the account is unlocked
= Scenario 2 =
2.1) User locks its account
2.2) Wait until account is unlocked (should be 1x Wait Time Increment)
2.3) Then do another one failed login attempt.
*Q -> *2.4) Should the account be locked now or only after next Max Login
Failures?
*Q -> *2.5) Wait until account is unlocked (should be 1x or 2x Wait Time
Increment?)
2.6) Then fail another one login attempt
*Q -> *2.7) Wait until account is unlocked (should be 1x or 3x Wait Time
Increment?)
*Q -> *2.8) Wait Failure Reset Time (since first or last failed attempt?)
2.9) Validate that the user can again lock themselves out only after Max
Login Failures failed login attempts.
= Scenario 3 =
3.1) User locks its account
3.2) Another 20 failed immediate login attempts while account is blocked
*Q -> *3.3) Check that after (1 or 15?) minutes the account is unlocked
(Max Lock time is 15 mins)
Thanks
--Hynek
[1]
http://www.keycloak.org/docs/latest/server_admin/index.html#password-gues...
6 years, 1 month
How retrievie access token only with roles for specific target service(keycloak client)?
by Daniel Charczyński
Hi everyone
I think that there is an important need to implemment feature that makes
possible getting access token according to target service
background:
we are using bearer access tokens in case of authorization between services
this is JWT signed by keycloak and contains all roles assigned to this
specific client
we are using "service account" in case of authorization service to service
eg:
if we have following screnario
service A ---> service B
|
|------------- > service C
service A receives JWT with roles to service B and C
If Service A comunicates with B, B is able to reuse this token and
communicate with C as service A
Token that B receives from A is valid and there is possibility to reuse it
That is CRITICAL security issue in my oppinion.
Out plan is to use Roles that requires scope parameter and it is OK for us
but at the moment there is only possibility to query for specific Role but
there is NO possibility to ask keycloak for JWT with all roles but only in
service B context.
Of course we can use composite roles but this is workaround that requeires
extra maintanence - we do not want to do that in that way
We just need support scope parameter like
*scope = serviceB/**
We created
* https://github.com/keycloak/keycloak/pull/4910
<https://github.com/keycloak/keycloak/pull/4910> -
rejectedandhttps://issues.jboss.org/browse/KEYCLOAK-6092
<https://issues.jboss.org/browse/KEYCLOAK-6092> - closed as duplicate *
Maybe our PR is to much flexibe - we build our solution using regex
There is possibillity to use wildcard, anything
Regards
Daniel Charczyński
6 years, 1 month
Locale lookup issue
by Iilei • Jochen Preusche
Hello all,
A little background information:
In Keycloak 3.4.3.Final the following behaviour seems like a bug to me:
* Use a theme with a country-specific locale, for example fr-FR and a default locale `english`
* Use Firefox on Ubuntu, drop all language preferences in its settings and just add `french` (no country specified)
* request the login page
* the theme will be rendered in english
Acknowledging the RFC-4647 (1) Section 3.4; "Best Current Practice - Matching of Language Tags - Types of Matching - Lookup" I would expect basic matching to be applied so that the french language is chosen.
The topic is discussed cotroversely in the original Pull Request (2). Therefor I have been asked to move a discussion from the Pull-Request to this mailing list.
For more Info, see also the related issue (3)
Thank you for your consideration.
Kind regards,
Jochen Preusche
(1) https://www.ietf.org/rfc/rfc4647.txt
(2) https://github.com/keycloak/keycloak/pull/4958
(3) https://issues.jboss.org/browse/KEYCLOAK-6461
6 years, 1 month