Multiple password policies
by Jamie McDowell
Hi,
Can you have multiple password policies on the same realm for different OU's?
We have Keycloak set up federating to an OpenLDAP server. On the LDAP server we have 2 OU's, 1 for users and the other for service accounts - Both of these need to have different passwords such as length and complexity.
We have the password policy defined on the OpenLDAP. Has anyone configured this before?
Regards,
Jamie
5 years, 8 months
Keycloak 4.2.1 - Counter based OTP
by Lukasz Lech
Hello,
I'm using Keycloak 4.2.1.Final (docker image).
I've defined OTP policy: Counter based, SHA1, Look Ahead 100, initial counter 1
I've tested number of digits both 6 and 8
I've tried to use Free OTP, for 6 digits Google Auth.
I've deleted authentication, scanned QR once again, tested a few next codes, not only the first.
Each time I get the message, the one-time code is invalid.
Do counter based policy works at all in Keycloak 4.2.1? I don't see what I'm doing wrong...
Best regards,
Lukasz Lech
5 years, 8 months
Migration to 4.2.1 extracting RESOURCE_URIs fails with fine-grained admin permissions
by Schuster Sebastian (INST/ESY1)
Hi everybody,
I just noticed that 4.2.1 contains a migration (jpa-changelog-authz-4.2.0.Final.xml) that extracts the URI column from the RESOURCE_SERVER_RESOURCE table and puts it into a separate table RESOURCE_URIS. This table has a NOT NULL constraint on the new uri column (called VALUE). The accompanying data migration AuthzResourceUseMoreURIs.java selects rows from the old table and inserts URIs it into the new. This fails for all resources that did not have a URI before because of the NOT NULL constraint, for example for Keycloak-internal resources like groups that don’t have a URI.
Is this intended behavior?
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn
5 years, 8 months
SKIP_CACHE_STORE for Infinispan
by Poiffaut Romain
Hi,
I am currently looking into the Infinispan cache usage in Keycloak.
While reading the source code, I discovered InfinispanChangeLogBasedTransaction decorates the cache with SKIP_CACHE_STORE flag. This flag has been added to resolve KEYCLOAK-5656 regarding multiple DC.
This fix has the side effect of preventing to persist the infos in an external cache store.
What do you think about adding a mechanism to enable/disable this behavior according to the needs ?
Best regards,
Romain
5 years, 8 months
Error while updating jboss/keycloak from old :latest to newer :latest
by Lukasz Lech
Hello,
I've started keycloak locally from docker image jboss/keycloak:latest
Today I've pulled the image, and I've got the following error:
Caused by: liquibase.exception.ValidationFailedException: Validation Failed:
1 change sets check sum
META-INF/jpa-changelog-authz-4.0.0.CR1.xml::authz-4.0.0.CR1::psilva@redhat.com is now: 7:57960fc0b0f0dd0563ea6f8b2e4a1707
at liquibase.changelog.DatabaseChangeLog.validate(DatabaseChangeLog.java:206)
at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1139)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.keycloak.common.util.reflections.Reflections.invokeMethod(Reflections.java:379)
The problem is, I'm not sure what was the :latest state I was using, it was some snapshot of 4.0.0-Beta,
I've tried to start now :latest, :4.0.0.Final, and :4.0.0.Beta3, but neither of them can work with the old database.
Does it mean, that my current database is unusable and I need to start from scratch or there is some way to update it?
Should I never ever in the future use :latest image?
Best regards,
Lukasz Lech
5 years, 8 months
Authentication flow deep/shallow copy ambiguity
by Dmitry Telegin
Hi,
When copying authentication flow where some authenticators have been
configured, I'd expect deep copy, i.e. including authenticator configs.
But that's not the case, here are the steps to reproduce:
- create Copy of Browser Flow;
- configure Identity Provider Redirector with "foo" IdP;
- create Copy of Copy of Browser flow;
- go to Identity Provider Redirector config, change "foo" to "bar";
- go back to Copy of Browser Flow. The redirector config will change to
"bar".
Is this a bug? If not, I think this should be documented, because it's
not obvious and can cause confusion.
Thanks,
Dmitry
5 years, 8 months
Proposal - use Ant Plugin for generating JKS files
by Sebastian Laskawiec
Hey,
Together with Sebi we are working on Certificate-based authentication for
the clients. Our work will require adding at least 2-3 keystores to the
codebase with different DNs and I think this might be a good opportunity to
revisit the way we handle JKS files in the tests.
Currently we push JKS files directly into our repo, which has a couple of
drawbacks:
- it is hard to figure out what's inside the JKS, it requires looking up
for password (usually in some JSON configuration file or hardcoded in the
test) and using keytool (or some similar one) to explore its content.
- It is not git-friendly. Every time we update JKS content we effectively
store another binary file (git doesn't understand binary file changes and
can not diff it).
- we use many different naming and password schemes in our tests.
- it is hard to migrate all keystores to pkcs12 at the same time (JKS
format is deprecated) [0]
I believe most of the issues could be addressed by generating JKS files on
the fly - during the build. In Infinispan we did it with Maven Ant Plugin
[1]. I already created a very limited POC for Keycloak and you can check it
out here [2]. Unfortunately, the process of reverse engineering all those
files is quite time-consuming, so I would like to know your opinion before
moving on.
Of course, generating JKS files on the fly has some drawbacks:
- It increases build time (~1s per keytool invocation, and we probably will
have more than 30 of them).
- it makes testing from IDE a bit harder, you need to run Maven and process
test resources before doing anything. A common workaround is to use `mvn
clean install -DskipTests` and then opening your IntelliJ.
Please let me know what you think.
Thanks,
Sebastian
[0]
https://blogs.oracle.com/jtc/jdk9-keytool-transitions-default-keystore-to...
[1]
https://github.com/infinispan/infinispan/blob/master/server/integration/t...
[2] https://github.com/keycloak/keycloak/pull/5410
5 years, 8 months
Keycloak and SAML AudienceRestriction
by Dmitry Telegin
Hi,
It's been SAML time recently in keycloak-dev, so I won't be breaking
the trend... :)
A customer tasked us with configuring Keycloak brokering to the 3rd
party SAML IdP. The IdP doesn't allow for SP metadata import, so the
values have to be configured manually, of which the two are mandatory,
namely Assertion Consumer Service URL and Audience (Entity ID).
While things are crystal clear with ACS URL, there was some
misunderstanding with the Audience parameter. Assuming that it should
be equal to the EntityID of Keycloak (acting as an SP in this case),
we've put it there. After that, while reconfiguring for IdP-initiated
SSO, we have changed the ACS (the /clients/{url-name} suffix is
appended to it), but the question was what to do with Entity ID. By
experiment, we have determined that actually any non-empty value
worked.
The situation is ambiguous, and we need to communicate it to the
customer somehow. The line in the docs "put any non-empty value"
smells fishy to me. I've found a technical explanation though; the
Audience (Entity ID) value ends up in the AudienceRestriction tag of
the SAML response. While Keycloak's SAML parser is aware of that tag,
it isn't processed in any way (ignored, in other words).
Here's what the SAML spec says on AudienceRestriction:
> Although a SAML relying party that is outside the audiences
> specified is capable of drawing conclusions from an assertion, the
> SAML asserting party explicitly makes no representation as to
> accuracy or trustworthiness to such a party...
>
> ...the <AudienceRestriction> element allows the SAML asserting
> party to state explicitly that no warranty is provided to such a
> party in a machine- and human-readable form. While there can be no
> guarantee that a court would uphold such a warrantyexclusion in every
> circumstance, the probability of upholding the warranty exclusion is
> considerably improved...
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Nothing is said in the spec about if the AudienceRestriction check is
mandatory, so I'd suppose it is optional. Some SAML-enabled software
however implements strict checking, WebLogic being a well-known case.
So it doesn't look like a defect or a security vulnerability, and
shouldn't pose any problems? Wanted to know the stance of the Keycloak
dev team on this.
Thanks in advance!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
5 years, 8 months
Need some guidance on authenticating from third party website
by francois maturel
Hello team!
We have a solution based on Keycloak 3.4.3.Final where our customer used
to login through to the standard Keycloak login form.
This customer now wants to pre-authenticate their users to our solution
when they log into their own portal.
The customer provides us all their user's username / password for our
solution (that we import through a batch) and they can use those to
authenticate theirs users in our solution.
Note that our customer have different username / password for their portal.
We proposed to adapt the login form Content-Security-Policy to allow the
login form to load in their portal (with login_hint), but this still
requires a user action.
Is there any way to log into Keycloak automatically from a third party
website and get the KEYCLOAK_SESSION / IDENTITY cookies (we would like
to avoid Direct Grant / Implicit Flow...) ?
Could you please provide some guidance on how to achieve this?
Thanks!
--
François Maturel
Regards,
François Maturel
5 years, 8 months
Re: [keycloak-dev] OAuth 2.0 Mutual TLS Client Authentication
by 乗松隆志 / NORIMATSU,TAKASHI
Hello Sebastian,
I'm looking forward to your work, and I would be happy if I could make some contribution after finishing your work.
Best regards,
Takashi Norimatsu
Hitachi Ltd.,
----------
From: Sebastian Laskawiec <slaskawi(a)redhat.com>
Sent: Thursday, July 26, 2018 5:24 PM
To: 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws(a)hitachi.com>
Cc: keycloak-dev(a)lists.jboss.org
Subject: [!]Re: [keycloak-dev] OAuth 2.0 Mutual TLS Client Authentication
Hey Takashi,
Thanks a lot for the interest in contributing Keycloak!
Sebi and I are working on this topic currently. We plan to reuse some bits of the User x509 Authentication and bring them to the client. We planned the implementation for this sprint, so it *should* be ready in ~3 weeks.
More comments inlined.
Thanks,
Sebastian
On Thu, Jul 26, 2018 at 1:23 AM 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws(a)hitachi.com> wrote:
Hello,
As for mentioned in https://issues.jboss.org/browse/KEYCLOAK-7512 and https://issues.jboss.org/browse/KEYCLOAK-7635, Is there anyone who currently implements OAuth 2.0 Mutual TLS Client Authentication defined in https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2 ?
We also have additional requirement - allow to authenticate client without "client_id" being sent (we need to extract it from the Certificate obtained during TLS Handshake). This is required for OpenShift integration.
If no one does it, I would like to try to implement this feature. What do you think about it ?
Also, In https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2, two types of OAuth 2.0 Mutual TLS Client Authentication are defined, for PKI and for Self-Signed Certificate.
I would be happy if you who are interested in this feature tell me which you like better.
As far as I know, we won't be touching self-registering clients. So maybe once we are done (let's assume that will happen in ~3 weeks), you could take it over and look into that?
BTW, as for now, we will be implementing everything in this branch: https://github.com/sebastienblanc/keycloak/tree/client-x509 (currently, it contains an empty Authenticator but we will be adding bits and pieces to it).
Best regards,
Takashi Norimatsu
Hitachi Ltd.,
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
5 years, 8 months
