August 2018 - keycloak-dev - Jboss List Archives

Wildcard for Valid Redirect URI Hostname

by Josh Cain

Per KEYCLOAK-3585: <https://issues.jboss.org/browse/KEYCLOAK-3585> Currently, valid redirect URI hostnames allow for wildcards at the end like so: http://www.redhat.com/* I'm managing several environments where clients need 'n' number of available redirect URI's with different hostnames, I.E. http://developer1.env.redhat.com http://developer2.env.redhat.com http://developer3.env.redhat.com Would really help to have the ability to wildcard hostnames too, I.E.: http://*.env.redhat.com I've submitted #3241 <https://github.com/keycloak/keycloak/pull/3241> to address this issue, but there seem to be some concerns about allowing wildcards in other parts of the URL. See the PR for a more fleshed out discussion, but wanted to start a thread here on the mailing list. Particularly with respect to: - Does anyone have need of this feature or would find it useful? - Should this kind of wildcard be allowed as a configuration option by Keycloak? Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 256-452-0150

4 years, 10 months

5
13
0 / 0

Improved CSP support

by Johannes Knutsen

Hi, I am currently looking at improvements in the Content Security Policy (CSP) support. In our deployment, we have security requirements stating that a CSP header should be used and inline scripts, styles and resources should be blocked. For example by setting a CSP value like default-src 'self';. Such a policy breaks Keycloak's manipulation of the browser history implemented in the BrowserHistoryHelper, since the JavascriptHistoryReplace injects an inline JavaScript. The simplest workaround is to also inject a nonce value or SHA hash of the script to the existing CSP header. However, while implementing this, I found that a CSP nonce in general would be nice to have available in any template context. This will also make it easier to migrate the default Keycloak theme to support stricter security policies. An example implementation can be found here: https://github.com/knutz3n/keycloak/commit/c6cfb3efa2942d7569066c0e4bd90a... Would you be interested in merging a change like the one above? If not, what is your view on how to allow stricter content security policies? Tests and documentation is currently missing, but I will add both if this is something you would consider merging. As a note, I have also done some work on supporting a strict CSP value for the default theme. But there are some issues with included 3rd party scripts which must/should be resolved. Let me know if you want more details regarding this. Best regards, Johannes Knutsen

4 years, 12 months

2
4
0 / 0

Possible feature: role attributes

by Schuster Sebastian (INST/ESY1)

Hi everybody, We have a use case where we would like to store additional meta-information for roles. This come from our IAM-requirements, that say there is a single responsible person for a role or that roles give access to data with different classifications. One way to store this kind of information would be to introduce role attributes to client and realm roles, basically similar to user or group attributes. For us, it would be sufficient to have this information purely as metadata, i.e. we would only read it through the audit log to inform the responsible person about role assignments if a role with a certain classification is assigned. In contrast to that, you can add group und user attributes to a token using user attribute mappers and the client application can extract this information from the token and act on it. WDYT? Does anybody else have similar requirements? Would you need role custom attributes also in the token? I can imagine that it gets kind of difficult to identify where attributes come from, once there are user, group, and role attributes, possibly with inheritance/composition. Best regards, Sebastian Mit freundlichen Grüßen / Best regards Dr.-Ing. Sebastian Schuster Engineering and Support (INST/ESY1) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com> Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn

5 years

2
3
0 / 0

SCIM v2 support

by Lösch, Sebastian

Hello, in a customer project we use keycloak and need a SCIM (System for Cross-domain Identity Management) API. Currently we write a wrapper API and a custom endpoint providing the SCIM functionality. We wrote a extension of the UserEntity, UserModel and an extension of the JpaUserProvider. This strategy seems not ideal and the nicest way is to add this extensions to Keycloak. This is already suggested in https://issues.jboss.org/browse/KEYCLOAK-2537 Is anybody out there who can guide me, what coding would be necessary to contribute the SCIM functionality? Currently I think we have to: - extend the UserEntity with all SCIM attributes. This will result in additional tables/entities for complex attributes e.g. Address, Name, Email - extend the UserModel to povide the additional attributes - implement the new SCIM endpoint /Users - make the additional attributes available via Admin REST API /users - extend views to be able to edit SCIM user attributes using the web ui - - All the above again for the Groups endpoint This also seem to be major changes. To big for one Pull Request. How do you like to handle this? Best regards, Sebastian

5 years

3
4
0 / 0

Potential performance regression between 3.4.3.Final and 4.3.0.Final

by Thomas Darimont

Hello Keycloak team, has anyone encountered some performance issues after upgrading 3.4.3 to 4.x (4.3.0)? Today I noticed a performance regression while preparing an upgrade from Keycloak 3.4.3.Final to 4.3.0.Final in our staging environment. In our test environment, we have around ~100k test users stored in a postgres-backed database. When we started the server with the new Keycloak version, the migration went through, and everything looked fine at first, but when we tried to browse the list of users via the admin-console, we noticed that the CPU and memory consumption of the server increased significantly, up to a point where Keycloak crashed with an OOME. All previous Keycloak versions including 3.4.3 were very modest with their memory requirements and quite happy with ~1g heap. However, that seems to have changed in Keycloak 4.3.0 - there we needed at least 4g to prevent Keycloak from crashing with an OOME. Furthermore, we noticed that the response times for browsing the paginated user view increased significantly as well: In Keycloak 3.4.3 the average time to load a user page is ~80ms. In Keycloak 4.3.0 (and older versions >= 4.0.0.Beta1) the same operation takes ~7 seconds for a test realm with just 10k users. In the test realm with 100k users, the time to load a single page in the users listing was 66 seconds for version 4.3.0, on average - compared to quite stable 80ms in 3.4.3. The database query that is executed by Keycloak 4.3.0 runs in ~1.5 seconds for 100k users, so I assume the processing logic in Keycloak is the culprit. The problem of long load-times can be reproduced with the Keycloak docker images and the in-memory database. I also created a small example project that creates some users with just a few attributes in a docker based 3.4.3 and 4.3.0 Keycloak environment with a Postgres database to reproduce the problem. https://github.com/thomasdarimont/kc-user-regression-tester Cheers, Thomas

5 years

5
15
0 / 0

SAML client integration HTTP 405 error

by Adrien DESBIAUX

Hi there, We are running Keycloak 3.4, and we noticed that for some SAML clients, we get a HTTP 405 error. This happen for example with client having a local login and a button to login with SSO. For example Appdynamics does that (to name only that one). They perform a POST request to the Keycloak SAML endpoint of the configured client, leading to a HTTP 405 error. The fact that they perform a POST to load the Keycloak login page is discussable, but how to counter this behaviour on Keycloak client's configuration side? Thank you in advance for your guidance. Cheers,

5 years

3
3
0 / 0

Implementing user self service via REST APIs

by William Jones

Hi As part of my Keycloak implementation, I would like to offer user self service, e.g. change password. I do not wish to theme the built-in user account dashboard, but instead build the functionality directly into our website. We are already using the Admin API for user administration, but as I understand it, it would not be appropriate to use this for actions which are actually being carried out by the end user. The auditing would be incorrect, and certain functionality is unavailable anyway - for example, whilst we could set a new user password via the Admin API, we would have no way of verifying that the existing user password is correct (we want the user to provide existing and new, as per the user account dashboard). As such, is the correct approach to this for us to extend KeyCloak with a set of custom REST endpoints to be called by an end user rather than an admin? They will be authenticated at this point so we will be able to pass down their access token for the authentication. If so, I assume I should be following the instructions under "Add custom REST endpoints" detailed at the following URL? https://www.keycloak.org/docs/3.0/server_development/topics/extensions.html Extending Server | Keycloak Documentation<https://www.keycloak.org/docs/3.0/server_development/topics/extensions.html> This is a very powerful extension, which allows you to deploy your own REST endpoints to the Keycloak server. It enables all kinds of extensions, for example the possibility to trigger functionality on the Keycloak server, which is not available through the default set of built-in Keycloak REST endpoints. www.keycloak.org Thanks William

5 years

2
1
0 / 0

Digital fingerprints

by Douglas Palmer

Hi As part of KEYCLOAK-7416 <https://issues.jboss.org/browse/KEYCLOAK-7416> I need to gather information about the device for each session. We are aiming to produce this page: P55-Device-Activity-3 <https://redhat.invisionapp.com/share/3JFODIWB2MR#/screens/274677542>. However, this requires more data about the client device than is carried in a user-agent header such as this: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7”. I’m thinking we will probably need to use a digital fingerprint library, probably executed on the client. Does anyone have a recommendation of a good library? Or have a better suggestion? Regards Doug

5 years, 1 month

2
1
0 / 0

Infinispan Cache and Keycloak instance restart

by Adrien DESBIAUX

Hello! Thanks again for maintaining Keycloak. I would have a question: - We are running Keycloak 3.4 - We did setup a Keycloak standalone HA cluster (3 nodes). - As well we did connect those nodes to an Infinispan cluster. All is running fine. However the trouble comes when we want to update the Keycloak Nodes. Updates can be either on themes or modules. We update for example a module, e.g a new user federation SPI, with Ansible. Then we restart the Keycloak nodes one after another. The restart is required so that a Keycloak node can register the new module. All is correct except that users need to login again after the reload has been performed. Is it something we can prevent happening? it is a strange behaviour, since we rely on Infinispan for sessions cache... Is there another local cache to be configured in Infinispan to avoid users to re-login after restarting Keycloak? It would be very helpful if you could give us a direction to investigate as rolling out several updates per day would lead to several re-logins from a user perspective. Cheers,

5 years, 1 month

3
3
0 / 0

Java Admin Client does not return to caller

by Graser Leon (INST-CSS/BSV-OS)

Hi all, We import some data to Keycloak programmatically using the java admin client. Thereby, we experience some problems. Some of the functions to call do not return to the caller. Tracking down for an example brought us to the RolePoliciesResource class which we use in the version of 4.3.0.Final (same as our Keycloak deployment). https://github.com/keycloak/keycloak/blob/4.3.0.Final/integration/admin-c... In a simple scenario we simply tried to create a 100 policies and find them afterwards using the two provided functions (create and findByName). This works perfectly fine for exactly 50 policies and then you don't get a return with the 50th call (starting from 0). Has anybody experienced issues with running into loops using the java admin client or knows a resolution to this problem? Mit freundlichen Grüßen / Best regards Leon Graser INST-CSS/BSV-OS Tel. +49 30 726112-284 | Mobil +49 1520 9198324

5 years, 1 month

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev August 2018