Announce of the GuardianKey extension
by Paulo Angelo
Hi all,
We are glad to announce the first release of the GuardianKey extension for
KeyCloak.
In the opportunity, we would like to acknowledge that the KeyCloak's
community is very active and contributed a lot by providing directions for
the problems faced by us in this foray. We give a special thank you for
Aléxis Almeida, Dmitry Telegin, Stian Thorgersen, and Thomas Darimont.
GuardianKey is a solution to protect systems against authentication
attacks. We use Machine Learning to analyze the user's behavior, threat
intelligence, and psychometrics (or behavioral biometrics) and provide an
attack risk in real-time. The protected system (in the concrete case,
KeyCloak, via the extension) sends the events via REST for the GuardianKey
on each login attempt and can notify users or even block the high-risk
events. Also, there is a panel that presents dashboards about login
attempts. We have cloud and product versions. We note that there is a free
service for small environments. More info at [1].
The extension is available at [2], in which we also included documentation
(docs and video [3]) for its installation, configuration, and use.
We appreciate any suggestion or comment.
[1] https://guardiankey.io
[2] https://github.com/pauloangelo/guardiankey-plugin-keycloak
[3] https://youtu.be/R5QFcH4bXuA
Once again, thank you!
Best regards,
Paulo Angelo
https://www.linkedin.com/in/reddhatt/
5 years, 1 month
deploy custom spi on docker
by Swetha Talluri
Hi ,
I have a custom SPI required for custom rest end points using jpa , How
should i deploy this customSPI in docker , Please help.
Thanks,
Swetha.T
5 years, 1 month
What Jetty versions we want to support?
by Sebastian Laskawiec
Hey guys,
I'm working on moving Jetty adapter tests from the old testsuite into the
new one. I can see we support this Jetty versions [1]:
- 8.1
- 9.1
- 9.2
- 9.3
- 9.4
Do we want to keep it this way or maybe concentrate on testing adapters
against 8.1 and 9.4 only (the last major versions)?
Thanks,
Sebastian
[1] grep -lir "keycloak-saml-jetty" --include="*.xml"
5 years, 1 month
Locale selection logic
by Stian Thorgersen
There has been a few issues reported around the logic of setting the
locale.
I've tried to add the issues to a single issue
https://issues.jboss.org/browse/KEYCLOAK-9632 where we can come up with a
new and improved logic. If you have observed other issues please comment on
the issue.
Something like this may work:
1. From authentication session if set
1. From user if set
2. From ui_locales if set
3. KEYCLOAK_LOCALE cookie if set
4. Browser header if set
5. Realm default
6. Fallback to en
When the locale is changed through the login pages the locale should be set
in authentication session as a note to update user locale. Note: ui_locales
should not update the users locale.
When user is authenticated update the users locale from authentication
session if set. If authenticated user has locale set, update
KEYCLOAK_LOCALE cookie.
5 years, 1 month
Log username if user is not found?
by Stian Thorgersen
If an invalid username or email is used during login the logs will include
the username.
This could potentially be an issue if a user mistakenly enters his
credentials into the username field. We had this
https://issues.jboss.org/browse/KEYCLOAK-9400 issue opened.
Personally I'm not convinced this is a real issue and I'm leaning towards
keeping it as is as having the username available can be useful when
debugging login issues.
Question is should we log the username or not?
5 years, 1 month
ClientDescriptionConverter
by Brian Ward
Is there any way to access this code through the kcadmin.sh CLI yet? I
want to import a SAML client the way the GUI does it. I see the GUI uses
ClientDescriptionConverter to parse the EntityDescriptor xml into a json
object that the API uses.
If this is not yet present, I'm happy to build it from the existing
pieces. I don't see it, but thought I'd get confirmation first that we
don't have anything like this in the kcadmin or elsewhere.
Thanks,
Brian
5 years, 1 month
Trailing slash
by Sebastian Laskawiec
Hey guys,
I'm working on migrating Jetty adapters to our base testsuite at the moment
and I noticed an interesting problem.
The URLProvider is responsible for adjusting injected URLs into the Page
objects. One of the things it does is trimming the trailing slash out, so
that "http://localhost:8280/client-secret-jwt-secure-portal/" becomes "
http://localhost:8280/client-secret-jwt-secure-portal". We depend on this
functionality a lot in our testsuite when constructing all kind of
assertions that include myPage.getInjectedUrl().toString(). In other words,
if we inject a URL with a trailing slash, there will be quite a lot of test
that fail.
Trailing space at the end is not meaningless unfortunately. It is being
used by the container to find proper context. Here's one of the best
explanations I found so far [1].
Jetty enforces trailing slashes for Servlets deployed in the container. If
you hit a Servlet without a slash (
http://localhost:8280/client-secret-jwt-secure-portal for example), you
will be redirected (with HTTP 302) to a version that has it (
http://localhost:8280/client-secret-jwt-secure-portal/). This of course
breaks some of the tests in our testsuite (since the Resteasy HTTP Engine
doesn't follow redirects by default). It is also worth to mention, that
Arquillian also adds trailing slash at the end of the Servlet context [2].
So by default, it injects all URLs with trailing space.
My take on this is that we should not trim the trailing slash. Moreover, we
should never manipulate a raw string representation of a URL. What we
should do instead is to use URI#resolve method if we need to query
sub-contexts. Using URI instead of URL is extremely important when it comes
to equality (if you're interested more in this, please read [3]).
If you agree with me, I'll go ahead and create a JIRA for it.
Thanks,
Sebastian
[1]
https://stackoverflow.com/questions/37370407/how-to-remove-trailing-slash...
[2]
See org.jboss.arquillian.container.spi.client.protocol.metadata.Servlet#getBaseURIAsString
method
[3] http://blog.markfeeney.com/2010/11/java-uri-vs-url.html
5 years, 2 months
Feature freeze lifted
by Stian Thorgersen
Feature freeze is now lifted and we can start merging PRs for Keycloak 5.0.0
5 years, 2 months
Why does client session expire regardless remember-me extended validity?
by Ken Haendel
I have a problem authenticating a spring secured web-app using keycloak
4.8.3.
If the user logs in with remember-me enabled, the user session does use
a larger SSO max life span (ssoSessionMaxLifespanRememberMe).
So far so good.
Now i want to call another secured REST-API using the KeycloakRestService.
That triggers OAuthRequestAuthenticator to verify token
(AdapterTokenVerifier.verifyTokens).
That operation fails, because the client session expired much earlier
(after ssoSessionMaxLifespan). The client session gets removed from the
client session cache
(InfinispanUserSessionProvider.removeExpiredUserSessions).
Error message of AdapterTokenVerifier.verifyTokens() is:
"ERROR RefreshableKeycloakSecurityContext Refresh token failure status:
400 {"error":"invalid_grant","error_description":"Session doesn't have
required client"}"
So, the point is: after the client session gets removed from cache (SSO
max life span) i can no longer use the refresh token to request new
tokens and call another REST-API service
using the same identity as the web-app.
Even though i have still a valid user session to use my spring app.
Expectation was: I can use refresh token within the larger time span
with remember-me enabled (SsoSessionMaxLifespanRememberMe).
Actual behaviour is: Refresh token gets useless within the shorter time
span (ssoSessionMaxLifespan)
Question: Why is the client session removed so early and not when the
user session expires? Is that expected behavoiur?
Thank you in advance,
Ken
5 years, 2 months
Integration with GuardianKey
by Paulo Angelo
Hi all,
We are trying to integrate KeyCloak with GuardianKey. However, we have
doubts related to the best way to do this and the best point in the
KeyCloak’s code for this integration.
GuardianKey is a service to protect systems against authentication attacks.
It uses Machine Learning and analyses the user's behavior, threat
intelligence and psychometrics (or behavioral biometrics). The protected
system (in the concrete case, KeyCloak) must send an event via REST for the
GuardianKey on each login attempt. More info at https://guardiankey.io .
The best way to integrate would be on having a hook in the procedure that
process the user credentials submission in KeyCloak (the script that
receives the POST), something such as:
if(<POST IN AUTH FORM>) {
boolean loginFailed = checkLoginInKeyCloak();
GuardianKeyEvent event = createEventForGuardianKey(username,loginFailed);
boolean GuardianKeyValidation = checkGuardianKeyViaREST(event);
if(GuardianKeyValidation){
// Allow access
} else {
// Deny access
}
}
Where is the best place to create this integration? Is there a way to
create a hook for this purpose? Should we create an extension?
Any help is welcome.
Thank you in advance.
Best regards,
Paulo Angelo
5 years, 2 months
