offline access permission incorrect?
by Bill Burke
To enable offline access the user must have the offline access role
and the client must have that role in its scope...
This just doesn't seem right to me. IMO, this shouldn't be something
you assign permission to a user. Its solely a client permission and
should not be something role-based. Instead the client should be
marked as allowing to ask for offline access and whether or not the
client must ask consent for this.
--
Bill Burke
Red Hat
6 years, 8 months
Keycloak usage scenario
by Vladimir Safin
I have Angular application that calls Spring Boot based rest API.
Angular application can authenticate with KeyCloack, in fact I was thinking
about using Keycloak ability to register user as well.
In my application I have a need to provision logged this user in my
database or update their information after they login. Since Spring Boot
API app is stateless and we use JWT token to authenticate saving user into
the database on every request would not be efficient.
Anybody run into the scenario like this ? How did you solve it?
6 years, 8 months
Client Scope naming
by Schuster Sebastian (INST/ESY1)
Hi,
I saw there are activities to replace client templates with client scopes. UMA 2.0 uses the term “client scope” to determine what the OAuth client wants to do with the granted access (e.g. this could be used to determine the purpose of processing some data for GDPR compliance). Since Keycloak will also support UMA 2.0, I am a little concerned this might lead to some confusion. As you know, there are only two hard problems in computer science: cache invalidation, naming things, and off-by-one errors. ☺ WDYT?
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn
6 years, 8 months
Automatic Security Advisory for Keycloak Settings
by Thomas Darimont
Hello,
After upgrading Keycloak some settings are not updated and
left as is, either because the they were changed by the admin
or contain the previous default value.
This settings might not match the current recommendations.
Since there is currently no automatic configuration check
Keycloak admins potentially need to revisit every
setting after an upgrade / migration.
As an example for settings that need to be upgraded regularly after
a Keycloak upgrade are the Header configurations in the Security Settings.
It would be great if Keycloak would be aware of the current
best practice recommendations for configuration settings and
would list / highlight deviations.
One way to show this to admins would be a list in a dedicated
"Security Advisory" section or as a hint on a particular setting
in the admin console.
Do you have any plans for implementing something like this?
Cheers,
Thomas
6 years, 8 months
offline access tokens part 2
by Bill Burke
These are my thoughts for implementing offline access tokens:
* offline access tokens MUST be validated. This means that if they
are used during bearer token requests, the service must validate the
token with the token endpoint.
* These tokens MUST be rejected by older keycloak clients as our
adapters dont' have support for them.
* offline access tokens will not be stored in the database. Instead
they will be JWEs or JWS that link to an offline user session. (our
current offline access implementation). They will be revokable just
like any other offline session and in the same manner. This makes the
implementation simple.
* There will be 4 modes for configuring clients
- client automatically receives offline access tokens (maybe not
include a refresh token in this case)
- client may request an offline access token
- client requires consent before providing an offline access token
- client is not allowed to ask for offline access tokens (default)
Any other thoughts on this?
Maybe this should be implemented in conjunction with a reference token
feature too?
--
Bill Burke
Red Hat
6 years, 8 months
keycloak-cli.bat failed to connect to the controller with SaslException DIGEST-MD5: Server rejected authentication
by Sébastien Vandamme
Hello,
I am in the process of installing Keycloak 3.4.3.Final and customize it
using scripts. I reuse scripts that I used on Keycloak 2.5.1 with success
but, on the new version, I run into strange problems.
All the command that I run that start with
keycloak-cli.bat --connect --controller=localhost:9990 --user=root
--password=somePwd
doesn't work anymore and displays the following error
Failed to connect to the controller:
Unable to authenticate against controller at localhost:9990:
Authentication failed: all available authentication mechanisms failed:
DIGEST-MD5: javax.security.sasl.SaslException: DIGEST-MD5: Server
rejected authentication
When I run the same command without the credentials
keycloak-cli.bat --connect --controller=localhost:9990
the connection work and I see
[standalone@localhost:9990 /]
When I connect directly via the browser on the url localhost:9990, it ask
me for a login and a password, I enter the ones given in the first command
and I can connect without any problem.
I read a lot of stuff on similar problems on the web but nothing solved my
problem. For example, my remoting configuration, that was a problem in some
case, seems right
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<endpoint/>
<http-connector name="http-remoting-connector"
connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
In short, I'm stuck.
Does someone has any idea to help me ?
Thank you in advance for your help,
Seb
6 years, 8 months
