January 2019 - keycloak-dev - Jboss List Archives

External role to role idp mapper update brokered user behavior buggy ?

by Sebastien SB. BERTHIER

Hi, Some months ago, I reported a strange behavior about external role to role idp mapper. https://issues.jboss.org/browse/KEYCLOAK-8690 It concernes particularly the update method. - When a user (with local role) leaves external token role, then the mapped role is remove from local keycloak user. - But when a user (without local role) gains the external token role, then the mapped role is not added to local keycloak user. For me and Stian (see comments), it seems to be a bug. What is your opinion ? S?bastien B.?

5 years, 3 months

2
1
0 / 0

Enable or disable otp from external application integrated to keycloak

by Swetha Talluri

Hi , We have a legacy application to which we are planning to integrate keycloak for otp flows . We so far have otps sent through mobile , we need to replace that flow with keycloak google auth otp. Do we have anyway to replace in our legacy application ? When user toogles button of enabling 2fa on our application , we should be able to see keycloak barcode for that user and update the user entry in our database. Similar flows for disabling 2fa , we need keycloak page to enter otp and then disable user's 2fa flow. Thanks, Swetha.T

5 years, 3 months

1
0
0 / 0

passing SAML extensions and context to custom authenticators

by Gideon Caranzo

Hi All, I'd like to propose a feature that allows custom authenticators to handle SAML extensions, authentication context and other request attributes. Right now in OIDC, all request claims are passed to custom authenticators which allows for customized behavior depending on the claims. However, this is not the case for SAML. Only attributes that are explicitly set (e.g. NameID) in the auth session are passed to custom authenticators. Information like SAML extension and authentication context are not available which limits the ability to define custom behaviors. In the past, we ran into similar limitation and we had to update keycloak core to add support for NameID attribute. To solve this, we can have an optional hook that pre-process SAML login request right before authentication. The hook can then extract the needed attributes and set it accordingly for custom authenticators to process. The pre-processing will be done in *SamlService.BindingProtocol.loginRequest()*: *public* *class* SamlService *extends* AuthorizationEndpointBase { *. . .* *public* *abstract* *class* BindingProtocol { . . . *protected* Response loginRequest(String relayState, AuthnRequestType requestAbstractType, ClientModel client) { . . . SamlAuthenticationPreprocessor preProcessor = session .getProvider(SamlAuthenticationPreprocessor.*class*); *if* (preProcessor != *null*) { preProcessor.process(requestAbstractType, authSession); } *return* newBrowserAuthentication(authSession, requestAbstractType.isIsPassive(), redirectToAuthentication); } Let me know what you think. Thanks. Best regards, Gideon

5 years, 3 months

2
1
0 / 0

Multiple user login on the same browser for Account Aggregation application

by 乗松隆志 / NORIMATSU，TAKASHI

Hello, I've used keycloak for such the client application that collect a user's information via API provided by a resource server (e.g. collect balance from bank’s API). If the user has multiple accounts in the resource server, the client application must collect information on all these accounts. In order to do this, the client application let the user conduct an authentication and authorization flow for each account on the same browser consecutively. The current keycloak implementation cannot allow a user to login multiple accounts consecutively and simultaneously on the same browser. Therefore, the user must terminate and restart the browser every time she or he login on one of his or him accounts, which is not good for UX perspective. I’ve opened JIRA (https://issues.jboss.org/browse/KEYCLOAK-9332). I have an idea to resolve it and contribute its realization hopefully. However, I'm not sure this idea is appropriate or not. So, I am happy to get some suggestions and advices on it. [Idea] The current (keycloak-4.8.2.Final) keycloak's implementation seems to be as follows: RootAuthenticationSessionModel class instance has several AuthenticationSessionModel class instances. Browser is bounded to RootAuthenticationSessionModel by AUTH_SESSION_ID Cookie and realm. AuthenticationSessionModel is bounded to Browser's tab by RootAuthenticationSessionModel, client id, and tab id. It seems that keycloak allows a user on the same browser to login on the same account for several clients per browser's tab, and it is good for Web SSO use case. However, it does not work good for Account Aggregation use case. My proposal is that suppressing (expiring explicitly) AUTH_SESSION_ID Cookie and its related Cookies on the client side (not the server side) at the end of an authentication and authorization flow make the browser new to logging-in onto keycloak every time. Also, adding a switch to change the operation mode from the ordinal Web SSO mode to the proposed one (like Securing API mode). Best Regards Takashi Norimatsu Hitachi, Ltd.

5 years, 3 months

2
5
0 / 0

Transaction approval via OpenID Connect User Questioning API

by Felix Meißner

Hi everyone, recently, I have been investigating how to integrate transaction approval in an OpenID Connect based environment. It seems to me, the OpenID Connect User Questioning API is the perfect match, but as far as I can see, Keycloak is currently not implementing this API, right? Also, I cannot fond any issue at JBoss regarding this feature. Are there any reasons to not implement the User Questioning API in Keycloak, or has there just not yet been a feature request / someone willing to implement this? Or are there any other ways to aquire the user's consent via Keycloak? At Hanko, we are developing a Keycloak plugin that allows to use FIDO2 as well as UAF and U2F devices as second or multi-factor authentication devices in Keycloak with help of our API. Now, we are looking for a way to integrate signed transactions based on FIDO in Keycloak. Thank you for your comments! Viele Grüße / Best regards Felix Meißner Hanko.io – Convenient and Secure Authentication Hanko GmbH Ringstr. 19 | 24114 Kiel | Germany Email: felix.meissner(a)hanko.io Phone: +49 431 908 929 25

5 years, 3 months

2
3
0 / 0

Impersonation extention

by Youssef EL HOUTI

Hey guys, Just so you know, I have been working on extension that would allow a user with impersonation role to retrieve and access/refresh token for another user. (instead of the builtin behavior that uses cookies). you can find it here: https://github.com/elhoutico/keycloak-impersonation May be it could be added to the list of extensions: https://www.keycloak.org/extensions.html Cheers

5 years, 3 months

2
2
0 / 0

Session Expiry & Remember Me

by Alex Chatziparaskewas

Hi All, I am trying to get the remember me functionality running having the problem that my sessions are expired by keycloak - in my eyes - prematurely. I started digging through keycloak code and stumbled over the following: class UserSessionPredicate, method 'test': ... if (entity.isRememberMe()) { if (expiredRememberMe != null && expiredRefreshRememberMe != null && entity.getStarted() > ###expiredRefreshRememberMe### && entity.getLastSessionRefresh() > expiredRefreshRememberMe) { return false; } } else { if (expired != null && expiredRefresh != null && entity.getStarted() > expired && entity.getLastSessionRefresh() > expiredRefresh) { return false; } } ... The marked (###) 'expiredRefreshRememberMe' in the second if statement, should that not be 'expiredRememberMe'? Thanks & Regards, Alex

5 years, 3 months

2
3
0 / 0

Javascript adapater tests

by Guillaume Vincent

Hello Keycloak dev list, in a previous post I raised the problem that the JavaScript adapter did not have JavaScript tests. In a couple of hours I created a simple example for Keycloak with unit and functional tests https://github.com/guillaumevincent/keycloak-lite You can see tests in this file https://github.com/guillaumevincent/keycloak-lite/blob/master/test.js I also created a blog post on IMO How to test JavaScript code: https://guillaumevincent.com/2019/01/15/test-in-javascript.html Maybe we can open the discussion on how keycloak.js should be tested. Without any fast and automated tests, in JavaScript, the refactor of the keycloak adapter will not be easy at all. wdyt? -- Guillaume Vincent Senior Software Engineer

5 years, 3 months

4
7
0 / 0

OIDC Discovery-enabled IdentityProvider

by James Campbell

All-- After observing that the Google Social Identity Provider in Keycloak was using a deprecated userprofile endpoint [ <https://issues.jboss.org/projects/KEYCLOAK/issues/KEYCLOAK-9179> Keycloak-9179, <https://issues.jboss.org/browse/KEYCLOAK-9169> Keycloak-9169], I wanted to propose the creation of an IdentityProvider that will use the OIDC Discovery mechanism to dynamically build a config [ <https://issues.jboss.org/browse/KEYCLOAK-9194> Keycloak-9194]. I see a few decision points along the way that I wanted to ask about before an implementation, since I'm very new to keycloak and just starting to understand the codebase. In particular, I wondered if this group could share insight into these couple issues so I can make a more informed design: 1. It looks to me like the actual IdentityProviders are instantiated just as they're being used, but that the models are persisted in the RealmModel. It's not clear to me where the separation of concerns is supposed to be between the IdentityProvider and the IdentityProviderModel-in particular since the GoogeIdentityProvider, say, immediately sets endpoints in its constructor. Normatively, where *should* social identity providers' model configuration be set (and, e.g., where are the models first added to the RealmModel)? 2. I see that there is logic to parse OIDC Discovery configuration as part of configuring Keycloak itself as an OIDC provider / implementer of OIDC protocol (including building and parsing the .well-known config elements), but that logic seems not to be used in any setting currently as a client. Should I plan to reuse, say, the OIDCConfigurationRepresentation and OIDCWellKnownProvider classes for their logic in handling such configs? Currently, I'm imagining something along the lines of extending OIDCIdentityProvider with a new OIDCDiscoveryIdentityProvider that adds a discoverConfig method which can be used by an implementing class (such as GoogleIdentityProvider) to discover and cache endpoints such that they are not hard-coded into the implementing class. Each implementing class would then have a public static final DISCOVERY_URL that it passes to discoverConfig. My main hangup, as suggested above, is that to implement the caching, I want to ensure that the model configuration is stored/set in the right place. Thanks for bearing with me as I come up to speed on this! James

5 years, 3 months

3
4
0 / 0

token_introspection_endpoint == introspection_endpoint ? in .well-known/openid-configuration

by Thomas Darimont

5 years, 3 months

3
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev January 2019