Re: [keycloak-dev] passing SAML extensions and context to custom authenticators
by Caranzo Gideon
Hi Hynek,
Thank you for your response. Yes, I agree with you. It would be good to have this mechanism in those areas as well.
I already have a PR ready for just the SAML login portion. Is it fine with you if I submit this first so that we can use it as early as possible? We can create a separate ticket to implement similar mechanism for other SAML messages and broker endpoint which can be done in near future.
Thanks,
Gideon
-----Original Message-----
From: keycloak-dev-bounces(a)lists.jboss.org [mailto:keycloak-dev-bounces@lists.jboss.org] On Behalf Of Hynek Mlnarik
Sent: Thursday, January 24, 2019 1:58 AM
To: Gideon Caranzo <gideonray(a)gmail.com>
Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Subject: Re: [keycloak-dev] passing SAML extensions and context to custom authenticators
Hi Gideon,
thanks for the idea. Something like that would be a useful enhancement. The implementation would need to cover also the broker endpoint, other SAML message types (extensions are part of message types other than AuthnRequest as well), and count on several implementations of the hypothetical SamlAuthenticationPreprocessor. Could you please file an "Enhancement" JIRA?
--Hynek
On Wed, Jan 16, 2019 at 5:49 PM Gideon Caranzo <gideonray(a)gmail.com> wrote:
> Hi All,
>
> I'd like to propose a feature that allows custom authenticators to
> handle SAML extensions, authentication context and other request attributes.
>
> Right now in OIDC, all request claims are passed to custom
> authenticators which allows for customized behavior depending on the claims.
> However, this is not the case for SAML. Only attributes that are
> explicitly set (e.g. NameID) in the auth session are passed to custom authenticators.
>
> Information like SAML extension and authentication context are not
> available which limits the ability to define custom behaviors. In the
> past, we ran into similar limitation and we had to update keycloak
> core to add support for NameID attribute.
>
> To solve this, we can have an optional hook that pre-process SAML
> login request right before authentication. The hook can then extract
> the needed attributes and set it accordingly for custom authenticators to process.
>
> The pre-processing will be done in
> *SamlService.BindingProtocol.loginRequest()*:
>
> *public* *class* SamlService *extends* AuthorizationEndpointBase {
>
> *. . .*
>
> *public* *abstract* *class* BindingProtocol {
>
> . . .
>
> *protected* Response loginRequest(String relayState,
> AuthnRequestType requestAbstractType, ClientModel client) {
>
> . . .
>
> SamlAuthenticationPreprocessor preProcessor = session
> .getProvider(SamlAuthenticationPreprocessor.*class*);
>
> *if* (preProcessor != *null*) {
>
> preProcessor.process(requestAbstractType, authSession);
>
> }
>
>
>
> *return* newBrowserAuthentication(authSession,
> requestAbstractType.isIsPassive(), redirectToAuthentication);
>
> }
>
>
> Let me know what you think. Thanks.
>
> Best regards,
> Gideon
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis
> ts.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev&data=02%7C01%7Cgi
> deon.caranzo%40gemalto.com%7C6f947d88676b4f788b2108d681d1d529%7C37d0a9
> db7c464096bfe31add5b495d6d%7C0%7C0%7C636839135555784466&sdata=Yhpx
> 28KFJWJGa1kv1ROWWqJd3nt60YvAb0YmeKUU5Mg%3D&reserved=0
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists....
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
5 years, 3 months
Override "native" Keycloak providers
by Jerry Saravia
Hello,
We’ve been using version 3.4.3 for a while now and are attempting to upgrade to 4.8 and we’ve run into some issues.
Summary: We have created our own providers with the same PROVIDER_ID as some of the built in providers. For example, PasswordCredentialProvider has a provider id of “keycloak-password” and we created our own with the same id that gets loaded after the native one. This worked because in 3.4.3 providers that were using the same id would still have their factories added to the factory map.
See this link here for 3.4.3 changes:
https://github.com/keycloak/keycloak/blob/3.4.3.Final/services/src/main/j...
These are the 4.8 changes
https://github.com/keycloak/keycloak/blob/4.8.3.Final/services/src/main/j...
In 4.8, the fully qualified class name (FQCN) is not longer used. Instead it uses the provider id and the spi name. I can no longer use the same PROVIDER_ID as the native providers to ‘override’ them, but sometimes there is code that gets the provider specifically by id. For example, in the UpdatePassword required action we have this:
PasswordCredentialProvider passwordProvider = (PasswordCredentialProvider)context.getSession().getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID);
In 3.4.3 because our provider was loaded we were able to inject into code that normally isn’t overridable. We did the same for the OIDCLoginProtocolFactory to alter some token endpoint behavior even the UpdatePassword required action itself rather than making a brand new required action that is a “second rate” because it isn’t native to Keycloak.
Is there a solution for this in 4.8.3? I see this change was made in 4.0.0.Beta1 according to some of the history.
J
Jerry Saravia
Software Engineer
T(516) 603-6914
M516-603-6914
virginpulse.com
|virginpulse.com/global-challenge
492 Old Connecticut Path, Framingham, MA 01701, USA
Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA
Confidentiality Notice: The information contained in this e-mail, including any attachment(s), is intended solely for use by the designated recipient(s). Unauthorized use, dissemination, distribution, or reproduction of this message by anyone other than the intended recipient(s), or a person designated as responsible for delivering such messages to the intended recipient, is strictly prohibited and may be unlawful. This e-mail may contain proprietary, confidential or privileged information. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Virgin Pulse, Inc. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message.
v2.48
5 years, 6 months
Proposal: Improvements to IdpUsernamePasswordForm
by Dmitry Telegin
Hi,
I'm currently working to implement the following requirements:
- users are managed externally via LDAP, self-registrations disabled;
- there is an external IdP;
- generally, there is no way to automatically match IdP identity with Keycloak's one, so IdP linking will always be performed by the user manually;
- in order to do that, the user should click the IdP icon in the login screen, authenticate with the IdP, get back to Keycloak and "claim" his/her Keycloak account by entering correct username and password.
Currently, the closest thing in Keycloak is o.k.authentication.authenticators.broker.IdpUsernamePasswordForm (aka "idp-username-password-form", aka "Username Password Form for identity provider reauthentication").
However, it 1) prefills username field and makes it non-editable, 2) depends on the preceding IdpCreateUserIfUniqueAuthenticator execution to provide existing user model (EXISTING_USER_INFO auth note).
My proposal is to improve IdpUsernamePasswordForm by allowing its execution even without the preceding IdpCreateUserIfUniqueAuthenticator. In the absence of EXISTING_USER_INFO, IdpUsernamePasswordForm should allow the user to manually enter username.
Please let me know if you think it's worth having this in Keycloak. Regards,
Dmitry
5 years, 7 months
X.509 User Identity Extractor - multiple values
by Sven-Torben Janus
Hey all!
I am currently facing a situation with a customer who wants to implement mutual SSL / client cert authentication. As I understand from the UserIdentityExtractor[1] implementations, currently only returning a single value is allowed, because the UserIdentityToModelMapper[2] calls toString on the actual userIdentity object.
Now my customer uses the serial number from the certificate to identify users. However, this is only unique in combination with the issuer of the certificate, since my customer supports multiple CAs. The combination of both exists in their LDAP as a single attribute where both parts are separated by a special separator character.
In addition to that, the whole certificate of the user is also available in another LDAP attribute.
I currently see the following options to implement a solution for this:
1) Writing a custom Authenticator to handle that specific situation. This one would look very similar to the ootb X509 authenticator, but implements either a) or b) (see below)
2) Making a contribution to Keycloak and extend the list of available UserIdentitiyExtractors.
For both approaches two different implementations come to my mind:
a) Adding an additional UserIdentitiyExtractor which combines the issuer and the serial number into a single string and use that as an identity.
b) Adding an additional UserIdentitiyExtractor which returns the whole certificate as the user's identity.
We would prefer contributing to Keycloak, if such a contribution is welcome and meaningful.
Do you have any advice on which way to go here?
[1]https://github.com/keycloak/keycloak/blob/master/services/src/main/java...
[2]https://github.com/keycloak/keycloak/blob/master/services/src/main/java...
Regards
Sven-Torben
5 years, 8 months
Keycloak session limiting (KEYCLOAK-849) (BA-93)
by Mauro de Wit
Hello,
I am sending this e-mail because I have some questions regarding the
enhancement request that enables configurable session limiting in Keycloak
as discussed here:
https://issues.jboss.org/browse/KEYCLOAK-849 (The developer that Marc Wijma
referred to in his comment as being available for this task is me btw :))
In the comments a solution is proposed that makes use of a custom
Authenticator that is dropped into the authentication flow where it can be
configured. While I can see the benefit of leveraging the existing
components as much as possible (including the configuration options in that
flow), I am wondering if this is the best solution. As far as I can tell,
this component is not performing any authentication at all. Moreover this
functionality operates 'above' the authentication mechanisms and should
apply to all of them.
So is an Authenticator really the desired place to implement this? Or is
this just the quickest route, while not being the most desirable option for
the long term? What would be an alternative approach be? That would place
this implementation and configuration in the existing Session configuration
code for instance.
I just now started investigating this task and looking into the options
that would meet our requirements. Hope to hear from you.
Regards
Mauro
>
5 years, 9 months
Re: [keycloak-dev] translate keycloak
by Eugen Stan
Bump.
Hello again. We managed to translate some languages already and we would
like to contribute the translations upstream and hopefully improve the
translation process.
We have some feedback from our process. We use this process internally
and the idea is to have it working for keycloak open source
Proposal for Keycloak
- We propose to move the community translations in a separate git
project - just with the translations
- That repository is going to be used by Weblate as a source of
translations ( use Free Hosted Weblate - https://hosted.weblate.org/ )
- The translations project can be added as a git sub module to the
keycloak project
- during build the translations can be copied to the final artifact
We do this allready and we can help with the code migrations. Having
this setup will improve the contributions to translations and also the
ability to change the translations easily.
WDYT?
Regards,
Eugen
La 01.12.2018 19:22, Eugen Stan a scris:
> Hello,
>
> Where can we find the translation files for Keycloak and what is the
> process for upstreaming them?
>
> We are planning to deploy Keycloak for authentication for our services.
> We have users all accross the globe and we have translators that we can
> ask to translate.
>
> I'm planning to push the translations upstream once they are done (need
> to get approbal on this).
>
>
> Regards,
>
> Eugen
>
>
>
5 years, 9 months
keycloak with postgres database
by Kedar Maindargikar
Hello,
I am new to keycloak , I would like to understand if I am using keycloak in
"standalone cluster mode" where each node will have a copy of keycloak
running which connects to external postgres database., where the postgres
nodes are not in cluster but have one to one connection with key cloak
deployment on each node .
Will this work ?
Thx
Kedar
5 years, 9 months
Migrate from dep to Go 1.11 modules
by Bruno Oliveira
Good morning,
For a long time, dependency management has been the subject of several
threads in the Golang community. Too many tools, which one is the best
and things like this.
Since Go 1.11.x, it was finally introduced some sorta of official
solution for Go development, named Go modules. And after Go 1.13
release, this is going to become the standard way of handling
dependencies[1].
That being said, I'd like to remove Dep, from Gatekeeper and move to Go
modules. The efford required to this was like 15 min of my time and I
already did it here: https://github.com/keycloak/keycloak-gatekeeper/pull/472
Please, let me know if there are any concerns around this.
[1] - https://blog.golang.org/using-go-modules
--
abstractj
5 years, 9 months