make sending a request object mandatory for certain clients
by Aron Bustya
Hi!
I have a use case where the server must accept authorization requests only
when they contain a signed request object (should be configurable per
client).
I have found a way to make the signing of the request object mandatory by
specifying a 'request.object.signature.alg' attribute on the client, but
this only applies if a request object exists in the first place.
I would like to propose a pull request: It defines a new client attribute
'request.object.required'. If this is set to 'true', …
[View More]the client must send a
request object when initiating an authorization request.
Current code can be checked here:
https://github.com/abustya/keycloak/commit/476912906a3ad0d290220a1f54abee...
What do you think?
Regards,
Áron Bustya
[View Less]
7 years
Keycloak authentication
by nirmal a
I am very much new to Keycloak. I have a question regarding Keycloak and obtaining an Access Token.
My usecase is as below.I have two separate applications set up as 2 different clients in keycloak. Both are using the same LDAP (Active directory) server for authentication which is set up in keycloak as user federation.
A user is logged into applicationA using the keycloak login page. Now the user wants to launch applicationB on click of a button on its webpage.
On click of the button, …
[View More]applicationA should be able to retrieve an access token from keycloak passing only the username (Not password) and use it to launch applicationB.It should not be asked to login into keycloak again.
Once it receives the token it should be able to launch applicationB using the token. ApplicationB should check the validity of the token passed and retrieves the user details from the keycloak server.
Is there a way to achieve this?
[View Less]
7 years
kubernetes keycloak chart: persistent volume for themes?
by Naftali van der Loon
Hi, I'm using the kubernetes keycloak chart, and I must say, very nice
piece of work!
This helped me so much!
Only question I have is: what is the best way to deploy the theme in a HA
setup?
I think ideal would be a to use a persistent volume.
Or is there another way to get this working?
Thanks for your help in advance!
Grz
Naftali
7 years
Arquillian test override keycloak class
by Youssef EL HOUTI
Hi,
I'm writing a module for keycloak to deny access for clients using policies
(the same way it's done with UMA but before gicing the token the first
time). To achieve that I need my module to override some classes (ex:
org.keycloak.protocol.oidc.endpoints.TokenEndpoint).
In my Arquillian test, I do the following:
@Deployment(name=MODULE_JAR, testable = false)
@TargetsContainer("keycloak-remote")
public static Archive<?> createProviderArchive() throws IOException {
…
[View More]return ShrinkWrap.create(JavaArchive.class,
"keycloak-authorization.jar")
.addClasses(
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.class,
LocalAuthorizationService.class)
.addAsManifestResource(new File("src/test/resources",
"MANIFEST.MF"))
;
Unfortunately it doesn't work, any ideas please.
Thank you.
[View Less]
7 years
Configuring the built GitHub version
by Bela Berde
Hi,
I am using the GitHub version that I am recompiling if necessary.
Now, I want to configure the built binary with a realm etc.
Where should I add my json files?
Many thanks
7 years
disable url check on introspection
by Aron Bustya
Hello!
We are operating keycloak and an API gateway which protects our resource
servers, the gateway uses the token introspection feature of keycloak to
validate requests.
Our problem is that keycloak only accepts introspection request when called
with the same fqdn as the token was issued for, so the gateway cannot call
keycloak using its internal address.
I know this is a 'solvable' problem, but solutions raise further questions,
and it would be simpler to just allow the introspection call …
[View More]without the
url check.
I see others have encountered the problem also:
https://issues.jboss.org/browse/KEYCLOAK-5045
The RSATokenVerifier used for introspection actually has a checkRealmUrl
setting, but it can't be influenced from any server configuration.
So my question is: if I made the checkRealmUrl setting configurable using a
realm attribute or client attribute, would that be an acceptable feature
for a pull request?
Best regards,
Áron Bustya
[View Less]
7 years
Testing a custom Provider
by Youssef EL HOUTI
Hi,
I'm building a custom RealmResourceProvider to be able run a full realm
export and import while the app is running. Since these are sensitive
tasks, I want to secure the endpoint. I think i managed to do that by
"copying" what is done with the adminResource.
Now I want to (integration) test my custom provider
How should proceed to build tests like the ones available in the test suite
(using: AbstractKeycloakTest)
Also is this the right approach?
Things I would like to test:
User is …
[View More]connected to master and has create-realm role to be able to import
new realm
User is importing from the realm specified in the file to avoid mistakes
User has the role manage-realm to be able to import...
...
Thanks for your help
Youssef
[View Less]
7 years
Keycloak.js - allow to provide custom adapters
by Wojciech Trocki
Hi
I have been using keycloak.js for more than year mainly with the mobile
applications (Cordova).
Library is pretty well designed however there are some minor limitations in
terms of what adapters could do.
>From my point of view javascript library is missing ability to provide some
custom implementations for adapters.
Additionally implementations are provided as objects so it's hard to see
and conform this undocumented interface.
I'm happy to contribute any changes that will make sense …
[View More]upstream.
I have created issue to cover exact use case where this is needed:
https://issues.jboss.org/browse/KEYCLOAK-6798
Adding this functionality will also make it trivial to implement support
for different mobile platforms like ReactNative etc.
Regards
Wojtek
[View Less]
7 years
Running Keycloak in a clustered mode
by Shankar_Bhaskaran
Hi ,
We are running 2 standalone instances of keycloak with a shared database(later on a clustered database) in active passive mode using haproxy as the loadbalancer . I had tested some rest services by running the request again with the same bearer token with the active keycloak server down and passive server now becomes active one and it still works.
Can we run 2 instances of keycloak in the standalone mode behind a proxy with a shared database ? Or should we cluster it first using …
[View More]standlone-ha.xml configuration?
What features will be disabled if we use the former way of loadbalancing keycloak
Regards.
Shankar
[View Less]
7 years
Question on Node.js adapter - Wrong response code when not logged in, maybe
by Luke Holmquist
Hi,
given this example application
https://github.com/bucharest-gold/nodejs-rest-http-secured , there is 1
endpoint "/api/greeting", it is protected with the basic keycloak-connect
setup.
https://github.com/bucharest-gold/nodejs-rest-http-secured/blob/master/ap...
If we run this locally, with "npm start", and just curl that endpoint,
"curl http://localhost:3000/api/greeting" it will return with a 403.
There was an issue raised that it should be a 401,
https://github.com/bucharest-gold/…
[View More]nodejs-rest-http-secured/issues/52
The way this comment makes it sound,
https://github.com/keycloak/keycloak-nodejs-connect/blob/master/index.js#...
is
that the 403 is correct
If we look at the complimentary vert.x and swarm examples,
https://github.com/openshiftio-vertx-boosters/vertx-secured-http-booster and
https://github.com/wildfly-swarm-openshiftio-boosters/wfswarm-rest-http-s...
a similar curl will result in a 401 when not logged in.
I'm just wondering if that 403 the node adapter is correct and if so, why
does it differ from the other runtimes
-Luke
[View Less]
7 years
