June 2018 - keycloak-dev - Jboss List Archives

by gambol

Hiya One of our projects is looking to tie Knox and Keycloak together; with some documentation here https://community.hortonworks.com/articles/196751/knox-accept-third-party.... At the moment the users are being federated to an ldap user store. The issue at the moment is the subject ID, they would like this mapped 'uid' attribute to the user representation in ldap, is this simply a matter of changing the 'UUID LDAP attribute' .. They did try and they started getting errors logging in, I'm guessing this was perhaps due to changing the mapping once users had already been imported? ... Alas, I don't have access to components myself, so acting as a middle man at the moment Rohith

5 years, 10 months

2
2
0 / 0

Decoupled channel authentication (Google Push Authn)

by James Holland

Hi, I'm trying to work out how to add an authentication flow where the actual authentication is done in another channel. Something like Google Push Authenticator, the IDP sends a push message that encodes a transaction, the app receives the push msg, decodes, and prompts the user to confirm (which signs the transaction). This signature is then sent to the IDP and thus allows access to the user in the original triggering channel. The only thing the user has to supply original triggering channel is a user identifier, no credentials. I have all this work in a standalone solution but wish to add this to keycloak, There are two OAuth2 related standards that support this model (but I could not find them on roadmap or feature requests): - - https://tools.ietf.org/html/draft-ietf-oauth-device-flow - http://openid.net/specs/openid-connect-modrna-client-initiated-backchanne... I'm struggling to understand the various KeyCloak SPI's and when they are invoked, what is the flow? Does there exist a sequence or collaboration diagram on how the SPIs interact? So can anyone point me in the correct approach to this within KeyCloak, my current guess is: 1) Write an implementation of the Authentication SPI to send the push message and store the details of the transaction against the user record. 2) Create an endpoint to validate the authentication from the push app and update the stored transaction as complete (or could this be the existing OIDC endpoint but with a different Authentication SPI implementation to validate the TX) 3) Write some template pages/scripts that will poll against a new API to see if the transaction is complete, if it is it returns a Access &/or a Id token For the initial version I'd expect to have the page/JS poll the API but eventually replace with websocket, the http session object subscribing to a message queue to be informed on the transaction is complete. Sorry for the long message, but any guidance is very welcome. Obviously I intend to make it OSS. Regards James

5 years, 10 months

1
0
0 / 0

Re: [keycloak-dev] Offline Session Max for Offline Token

by 乗松隆志 / NORIMATSU，TAKASHI

Hello, I agree with you. The specification seems to be as follows. * As default, operate as current Offline Access does, namely "Offline Session Max" concept is not adopted. * On Admin Console, have "Offline Session Max Limited" ON/OFF switch. If ON, show "Offline Session Max" dropdown whose default value is "60 days". If Off, it disappears. Default is OFF. * In Model, not use something to keep "Offline Session Max Limited" ON/OFF switch setting. Only use int to keep "Offline Session Max" value whose unit is "second". -1 indicates "infinity", namely not expire by "Offline Session Max". One point I would like to discuss is how to accommodate "Offline Session Max" setting (also "Offline Session Max Limited" ON/OFF switch implicitly). My proposal is the following. * On UI(html, js) and RealmModel, use setter/getter. * On RealmAdapter and RealmEntity, use attributes. * On RealmAttributes, define its attribute key such as String OFFLINE_SESSION_MAX_LIFESPAN = "offlineSessionMaxLifespan"; The reason why is to avoid DB migration works. What do you think about that? Best regards, Takashi Norimatsu Hitachi Ltd., -----Original Message----- From: Marek Posolda <mposolda(a)redhat.com> Sent: Monday, June 18, 2018 8:29 PM To: 乗松隆志 / NORIMATSU，TAKASHI <takashi.norimatsu.ws(a)hitachi.com>; 'keycloak-dev(a)lists.jboss.org' <keycloak-dev(a)lists.jboss.org> Subject: [!]Re: [keycloak-dev] Offline Session Max for Offline Token Hi, it makes sense to me to have support for this. However IMO default value should be still "infinity" like it is now. I am not sure what is the best way to handle this in admin console considering usability? Considering that timeouts in admin console (Tab "Tokens" of "Realm Settings") doesn't yet support infinity. And other timeouts besides "Offline Session Max" still should be kept to not support infinity IMO. Maybe one way is to have On/Off switch like "Offline Session Max Limited" . It is off by default and when it is switched to ON, it will show another field "Offline Session Max" with the timeout? Which can be 60 days by default maybe? At the model level, there would be still single int value IMO (EG. When the value is -1, it means infinity, which means that "Offline Session Max Limited" switch will be OFF in admin console and "Offline Session Max" hidden. When it is positive value, the "Offline Session Max Limited" switch will be ON and the actual value of timeout "Offline Session Max" will be shown). Could this work? Marek On 14/06/18 08:36, 乗松隆志 / NORIMATSU，TAKASHI wrote: > Hello, > > I've found that keycloak does not support Offline Session Max related to Offline Token while supports SSO Session Max related to Refresh Token. > > For authorization of REST API services, long life(not infinite, such as 60days) refresh token is required, offline access and persistency in keycloak side are also expected. > Therefore, Offline Session Max is required for offline token. > > For example, consulting MS Azure, it has already supported this concept. > https://clicktime.symantec.com/a/1/--rcGHJujTdPJSfFwNlM2MIYGqLILoWPKdL > 9CWfmjNc=?d=YWVjrivvynl5nVuhig7Zwbvg38OkJyUVDhaDQ312OlDzgNM4xTTDVE89zf > _mLEMJrbOBesYy_-Yw2RhKJfJm5AANJ_OD6WaMyDNij1Xb4Cuf-VYC4Ch2z5y5DLJ3vdQd > Cr_N3VusQfJENUGg44FTkalpZ_1vwmTbXJV1hjQGmNYtp8Hp6BWFQZmIv60C2fQGJYo4R0 > Pzdorm-4IhlIYi5LyAp_T45WsKMOn7PkZVYkBanJxHl3ESfMgcvkxElRlAfh2luIzQQkiz > e7gu-mj7EDmYyUiA6n4ngr8_PD0i3-0-GJbATfxQjS3Cg-MTJbjf6DdPlNhxriDK869vtT > 2bc6zkl0tBQxOQ5Sr6xspyxpbjN5mwFSvN4w2AmX0pfoubD3uf8mSNb5dBZjJ4xkOj9w%3 > D%3D&u=https%3A%2F%2Fdocs.microsoft.com%2Fen-US%2Fazure%2Factive-direc > tory%2Fdevelop%2Factive-directory-token-and-claims%23token-revocation > > I would like to try to implement this feature. > Best regards, > Takashi Norimatsu > Hitachi Ltd., > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://clicktime.symantec.com/a/1/PRLXsV_IH6jByHBptfs7DU9QRvpmlAlFI31 > S45woinY=?d=YWVjrivvynl5nVuhig7Zwbvg38OkJyUVDhaDQ312OlDzgNM4xTTDVE89zf_mLEMJrbOBesYy_-Yw2RhKJfJm5AANJ_OD6WaMyDNij1Xb4Cuf-VYC4Ch2z5y5DLJ3vdQdCr_N3VusQfJENUGg44FTkalpZ_1vwmTbXJV1hjQGmNYtp8Hp6BWFQZmIv60C2fQGJYo4R0Pzdorm-4IhlIYi5LyAp_T45WsKMOn7PkZVYkBanJxHl3ESfMgcvkxElRlAfh2luIzQQkize7gu-mj7EDmYyUiA6n4ngr8_PD0i3-0-GJbATfxQjS3Cg-MTJbjf6DdPlNhxriDK869vtT2bc6zkl0tBQxOQ5Sr6xspyxpbjN5mwFSvN4w2AmX0pfoubD3uf8mSNb5dBZjJ4xkOj9w%3D%3D&u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev

5 years, 10 months

2
1
0 / 0

Offline Session Max for Offline Token

by 乗松隆志 / NORIMATSU，TAKASHI

Hello, I've found that keycloak does not support Offline Session Max related to Offline Token while supports SSO Session Max related to Refresh Token. For authorization of REST API services, long life(not infinite, such as 60days) refresh token is required, offline access and persistency in keycloak side are also expected. Therefore, Offline Session Max is required for offline token. For example, consulting MS Azure, it has already supported this concept. https://docs.microsoft.com/en-US/azure/active-directory/develop/active-di... I would like to try to implement this feature. Best regards, Takashi Norimatsu Hitachi Ltd.,

5 years, 10 months

2
1
0 / 0

OpenShift Commons Briefing #129: KeyCloak for Cloud Natives

by Stian Thorgersen

https://www.youtube.com/watch?v=j6PgJIV1UNI

5 years, 10 months

1
0
0 / 0

Keycloak 4.0.0.Final is out

by Stian Thorgersen

https://www.keycloak.org/downloads.html

5 years, 10 months

2
1
0 / 0

Current state of OSGi in Keycloak; Keycloak at adaptTo()'2018 conference & more

by Dmitry Telegin

Hi, Together with Ioan Eugen Stan (in CC) we'll be doing a talk at adaptTo()'2018 conference [1] that will take place 12-13 September in Potsdam, Germany. It's an event dedicated to Apache Sling and everything around it. The talk will be titled "Modern authentication in Sling with OpenID Connect and Keycloak". As you might guess, we're going to present Sling + Keycloak integration which I hope we'll manage to implement by the time of the conference :) that said, we welcome any thoughts that might help us with that. Now for technical details, Sling is an OSGi-based content-oriented web framework that runs on top of Apache Felix and uses Felix HTTP Service. I've examined Keycloak OSGi adapter and found its name a bit confusing; seems like it's only suitable for JBoss Fuse, depending on Pax Web (correct me if I'm wrong). Right now I see two scenarios, the first is to take current OSGi adapter and adapt it (sorry for tautology) to Felix HTTP Service; the second is to use the existing servlet filter adapter. I'd say I would prefer the second variant, as it's more straightforward. Felix and Sling have a proven and well-documented support for servlet filters, however, we'll have to solve the problems of packaging for OSGi, filter registration, configuration and more deep integration with Sling's security framework. Also please let us know if you consider our (future) code worth being contributed to Keycloak codebase. Most likely, the deliverables will include 1) servlet filter adapter packaged as OSGi bundle, 2) the Sling adapter proper. Cheers and hope to hear from you, Dmitry [1] https://adapt.to/2018/en/schedule/modern-authentication-in-sling-wi th-openid-connect-and-keycloak.html

5 years, 10 months

3
2
0 / 0

Community maintained extensions

by Stian Thorgersen

We've added a simple page to list community maintained extensions to Keycloak. If you've developed and maintain an extension to Keycloak we would love you to list your work on our website. To do that simply send a PR to https://github.com/keycloak/keycloak-web/tree/master/src/main/resources/e... . A template for the required json file here https://github.com/keycloak/keycloak-web/blob/master/src/main/resources/e... .

5 years, 10 months

1
0
0 / 0

Re: [keycloak-dev] PKCE support for Keycloak Adapters (OAuthRequestAuthenticator)

by 乗松隆志 / NORIMATSU，TAKASHI

Hello, I've encountered the same problem and gave up. At that time, the naive idea had hit on me. * prepare some concurrently accessible singleton (line KeycloakDeployment) from OAuthRequestAuthenticator * store generated codeVerifier on it with state parameter value as its key. But, considering the nature of codeVerifier, the followings are required for such the store * codeVerifier should be treated the same secure levels as client credentials * codeVerifier should be short-lived and deleted after its life the same as Authorization Code Therefore, It might be better to create an tentative instance whose lifetime is between issuing Authorization Code Request and issuing Token Request. And, it should be identified and only accessible from the session instance who issued Authorization Code Request. However, I'm afraid it might be difficult to accomplish it in generic fashion. We need to implement the above each type of client adapter. Best regards, Takashi Norimatsu Hitachi Ltd., -----Original Message----- From: keycloak-dev-bounces(a)lists.jboss.org <keycloak-dev-bounces(a)lists.jboss.org> On Behalf Of Thomas Darimont Sent: Wednesday, May 30, 2018 9:02 AM To: keycloak-dev <keycloak-dev(a)lists.jboss.org> Subject: [!][keycloak-dev] PKCE support for Keycloak Adapters (OAuthRequestAuthenticator) Hi there, I was recently playing with the PKCE support in Keycloak (server) which worked quite well. However the support for client / adapters seems to be quite limited at the moment... I think support for PKCE to all? java adapters could be added quite easily - I could provide a PR but I'm currently stuck with finding a generic way to store the codeVerifier generated for the login redirect for later retrival for the code2token exchange. Do you have any recommendations for this? I created the following JIRA issue (with some comments) to track this: https://clicktime.symantec.com/a/1/bkUjActRvyW1Ds3zoQSu7mjr4Nabixm_1YJAW4... Cheers, Thomas _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://clicktime.symantec.com/a/1/Xn2ffdZIVPL_UA8_cnNApcirkcZZdsnyb6SpUd...

5 years, 10 months

4
9
0 / 0

KEYCLOAK-2606 - Browsertab-Support for Cordova

by Gregor Tudan

Hi there, I would like to pick up an old issue: KEYCLOAK-2606<https://issues.jboss.org/browse/KEYCLOAK-2606> Our current app uses Keycloak with the Cordova In-App-Browser. Technically this works fine, but the user experience is … uhmm … awful. The page renders quiet slow and has focus issues. I’d love to help getting some support for the browser-tab. I started porting the ionic sample app to browertabs, but would like to check back with you before doing something stupid. The idea is: 1. In Keycloak.js Cordova Adapter check if browertab is supported, else fall back to in-app-browser 2. Open the login-page with the In-App-Browser (leaving the app) 3. Register a custom-url-scheme and configure it as redirect url (i.e. keycloakapp://). We’ll need another Cordova plugin for this (i.e. deep links). The Cordova-Adapter needs to get extended for this, since „localost“ seems to be hardcoded as redirect-url) 4. The Keycloak-server will redirect to the app after login succeeded. The App will need to reinitialize the Keycloak-Adapter with the code given in the url - I’m not sure if this will work out of the box. Does this sound reasonable? Thanks, Gregor!

5 years, 10 months

2
7
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev June 2018