August 2019 - keycloak-dev - Jboss List Archives

Reverse Proxy Docs (and general logging)

by Evan Shortiss

Hi folks, I was working on Keycloak Node.js demo this morning and couldn't figure out why it was incorrectly constructing my *redirect_uri* for a public client. Instead of using HTTPS it was using HTTP - my application was served over HTTPS. I thought it was might be a bug in keycloak-connect, but turns out it's related to the "trust proxy" setting in express. This is fine, it makes sense to use standard Node.js/Express environment settings to manage this 👍 My question is: should debug logging be added in the adapter to help debug such issues? If I could have run my project with a *DEBUG=keycloak-connect* environment variable set and had logs such as those below it could have been helpful. I think it's also worth adding commented a line to the Node.js example(s) with "trust proxy" set to "true", and a comment above explaining you need to uncomment it if behind a reverse proxy. I'm not sure if the various Java example(s) require a similar setting/comment. When I Googled I didn't find any hits in the Keycloak docs for "reverse proxy" so might be worth a docs update too? keycloak-connect:protect - creating login url keycloak-connect:protect - incoming request.protocol is "http" keycloak-connect:protect - WARNING request.protocol is "http" but "x-forwarded-proto" is "https", "trust proxy" setting might be incorrectly set keycloak-connect:protect - login url is $SOME_URL -- Evan Shortiss Technical Marketing Manager Red Hat NA <https://www.redhat.com/> Los Angeles evan.shortiss(a)redhat.com M: +1-781-354-2834 IM: evanshortiss <https://www.redhat.com/>

4 years, 8 months

2
4
0 / 0

keycloak-js distributed on NPM is broken

by Jon Koops

Hi all, The version of Keycloak JS that is distributed on NPM is currently unusable. Due to a mistake in the source file the Keycloak API is not exposed but rather a newly introduced module in the main file named base64-js is exported. This is because the module export code was pasted with this module. I've created a bug report to adress this, I reccomend picking this up with urgency and perhaps unpublish keycloak-js 7.0.0 from NPM to prevent users from accidentally installing this non-functional version. More information can be found here: - https://issues.jboss.org/browse/KEYCLOAK-11228 - https://github.com/mauriciovigolo/keycloak-angular/pull/154 Regards, Jon

4 years, 8 months

2
3
0 / 0

DB2 support?

by Marc Guillemot

Hi, Is there any plan to support DB2 and/or any interest for patches in this direction? According to an email from last year [1] in the user mailing list, the support has been dropped in 4.x due to lack of time The first error in my quick test comes with the migration to 2.5.0 (MigrationFailedException for change set jpa-changelog-2.5.0.xml). Cheers Marc [1] https://lists.jboss.org/pipermail/keycloak-user/2018-July/014653.html

4 years, 8 months

3
6
0 / 0

Provider's "disabled" and "enabled" flags

by Sebastian Laskawiec

Hey, As Stefan noticed, some providers (including the one I created a few weeks back) check "disabled" flag from the configuration [1][2]. Stefan pointed out, that our Subsystem (and Keycloak internals) already check the "enabled" flag [3] on the SPI level. If the SPI is disabled, it won't be initialized at all, so all the disabled/enabled checks in ProviderFactory#init seems to be redundant. If I didn't miss anything and you all agree with me, I'd like to remove this kind of checks. Thanks, Sebastian [1] https://github.com/keycloak/keycloak/blob/5f9feee3f86e3d856063c8b6d355e30... [2] https://github.com/keycloak/keycloak/blob/3afbdd3ea3d8eb1ef339f2c0c46fb57... [3] https://github.com/keycloak/keycloak/blob/505cf5b25184c59ca85de63b082eb12...

4 years, 8 months

3
3
0 / 0

Suggestion of fields covered by Vault SPI

by Michal Hajas

Hi all, we are getting together fields that can obtain their value from the vault. We decided to start with a small subset of fields and then add more if needed. Suggested subset is following: - SMTP password - LDAP password - Identity provider secret - Client secret (should be easy) There are also other fields which we were considering, however, we decided not to add them for now. Feel free to comment on any of these fields or suggest new once. We are open to add any new fields in case of reasonable arguments. - KeyProviders - This part should be probably added soon as some follow-up work. It might be a little bit tricky as we don't want to duplicate each KeyProvider with its Vaul*KeyProvider version. - Saml keys (private key for signing, encryption) - External tokens from identity brokering - User credentials (hashed passwords, OTP secrets, etc.) - Credential Attributes - Federated User Credentials - Federated User Credential Attributes Best regards, Michal

4 years, 8 months

3
5
0 / 0

jboss-cli access to SSL/secured mgmt port FAILs for keycloak8/wildfly17 configured with Eltyron SSL subsystem & 2-way SSL auth for MgmtUI ?

by PGNet Dev

I've installed keycloak8/wildfly17 built from sources, egrep -i "<wildfly\.[a-z].*\.version>" /usr/local/src/keycloak/pom.xml <wildfly.version>17.0.1.Final</wildfly.version> <wildfly.build-tools.version>1.2.10.Final</wildfly.build-tools.version> <wildfly.core.version>9.0.2.Final</wildfly.core.version> <wildfly.common.version>1.5.1.Final</wildfly.common.version> <wildfly.plugin.version>1.1.0.Final</wildfly.plugin.version> with java -version openjdk version "1.8.0_222" OpenJDK Runtime Environment (IcedTea 3.13.0) (build 1.8.0_222-b10 suse-lp151.333.1-x86_64) OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode) mvn -version Maven home: /usr/share/java/maven Java version: 1.8.0_222, vendor: IcedTea, runtime: /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre Default locale: en_US, platform encoding: UTF-8 OS name: "linux", version: "5.2.9-26.g0100738-default", arch: "amd64", family: "unix" Following docs at http://docs.wildfly.org/17/WildFly_Elytron_Security.html I've installed/enabled the Elytron wildfly adapter, rm'd refs to the legacy security realm, & updated the https-listener to use Elytron's ssl-context. At this stage, cmd-line access to the mgmt controller works as expected, jboss-cli.sh \ --connect \ --controller=10.0.0.1:9990 \ --properties=/etc/keycloak/jboss.properties \ --user=mgmtuser \ --password=mgmtpass \ --version JBoss Admin Command-line Interface JBOSS_HOME: /opt/keycloak Release: 9.0.2.Final Product: Keycloak 8.0.0-SNAPSHOT JAVA_HOME: /etc/alternatives/java_sdk_openjdk java.version: 12.0.2 java.vm.vendor: Oracle Corporation java.vm.version: 12.0.2+9-suse-lp151.40.1-x8664 os.name: Linux os.version: 5.2.9-25.g71d4424-default Next, I've setup 2way SSL auth for both the mgmt & admin consoles. Checking *browser* access, the secured WF Management console @ https://10.0.0.1:9993 WORKS, and the unsecured URL http://10.0.0.1:9990 correctly REDIRECTS to the above https:// The secured Admin console @ https://10.0.0.1:8443/auth/admin works. Unsecured Admin console access @ *also* (still) works. (Not sure why it's not disabled yet ...) Now, jboss-cli access to the unsecured port, jboss-cli.sh \ --connect \ --controller=10.0.0.1:9990 \ --properties=/etc/keycloak/jboss.properties \ --user=mgmtuser \ --password=mgmtpass \ --version FAILs with Failed to connect to the controller: The controller is not available at 10.0.0.1:990: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+http://10.0.0.1:990. The connection failed: WFLYPRT0053: Could not connect to remote+http://10.0.0.1:990. The connection failed: Connection refused There's apparently no functional redirection, as in the browser. CLI access to the SECURED port ALSO fails, jboss-cli.sh \ --connect \ --controller=remote+https://10.0.0.1:9993 \ -Djavax.net.ssl.trustStore=/etc/keycloak/truststore.client.jks \ --properties=/etc/keycloak/jboss.properties \ --user=mgmtuser \ --password=mgmtpass \ --version Failed to connect to the controller: The controller is not available at 10.0.0.1:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https://10.0.0.1:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://10.0.0.1:9993. The connection failed: java.nio.channels.ClosedChannelException Reading these docs, WildFly Client Configuration version 17.0.0.Final, 2019-07-15T01:10:21Z https://docs.wildfly.org/17/Client_Guide.html#Remoting_Client_Configuration doesn't get me any further on solving the problem. What additional elytron (other?) subsystem command 'magic' is needed to get the jboss-cli WF client working on the secured SSL port?

4 years, 8 months

1
1
0 / 0

Keycloak 6.0.1 and Spring(boot-starter-security) 2.1.7.RELEASE on WildFly not working

by Carsten Rudat

Hi Keycloak-Dev, first of all: awesome product, I like it very much; it’s really feature rich! My current goal/challenge: I have a vaadin-8 application running on WildFly 17. It uses spring-security (old one..) and I successfully used Keycloak with JeePreAuthSecurityConfig. Now, I’m a fan of Keycloak SSO and I want to use the KeycloakRestTemplate. Therefore I tried to change to Spring-Web-Security with Keycloak. I followed Sebis products-app (monkey-see-monkey-do) and picket spring-boot-starter-security:2.1.7.RELEASE and the newes Keycloak-spring-security-adapter:6.0.1. Running my app on http://localhost:8081/myContentRoot/myVaadinView , Keycloak kicks in an redirects me to the Keycloak login. That redirects me to ../myVaadinView/sso/login with some state parameters. But here the success-story ends: I’m not redirected to “myVaadinView” as expected, but to “myContentRoot/”, where I am rejected with HTTP-Status 403 ☹ Debugging the whole thing twice (Sebis Spring-boot Tomcat- and my WildFly Undertow-container), I found org.springframework.security.web.authentication. SavedRequestAwareAuthenticationSuccessHandler#onAuthenticationSuccess where Spring-Web-Security tries to find the original request. On WildFly this *always* fails, because org.keycloak.adapters.OAuthRequestAuthenticator#resolveCode creates a new HTTP-Session (reqAuthenticator.changeHttpSessionId(true)). On Tomcat that works (I think this is a bug in Tomcat) because request.getSession(true) returns the current session, if it exists and is valid (org.apache.catalina.connector.Request.doGetSession(boolean)). How could I deal with that? It seems to be a bug or a design problem to get the old request from the session vs. creating a new one. Carsten ---------------------------------------------------------------------------------- Faktor Zehn GmbH Sitz der Gesellschaft: Muenchen Registernummer: HRB 242535 Registergericht: Amtsgericht Muenchen Geschaeftsfuehrung: Dr. Florian Schwandt, Joerg Renger

4 years, 8 months

2
1
0 / 0

Addition of vault() method to KeycloakSession

by Stefan Guilhen

Hi all, We've been considering the addition of a vault() method to KeycloakSession that returns an object that can be used to obtain secrets in different flavors from the configured vault. This is inline with what we already have for keys, tokens, etc and provides users of the vault with a better experience than looking up the provider using getProvider(Class) and then figuring out how to translate secrets retrieved in raw form into more usable formats, like String. As of now, all the interfaces of the Vault SPI are in the server-spi-private module and for this to work I will need to move a couple of them to the server-spi module, but I think this is ok since the plan is to eventually move all the interfaces there at some point. Just wanted to check if anyone has any strong objections to this plan before I move on with the implementation. Cheers! -- Stefan Guilhen Principal Software Engineer Red Hat <https://www.redhat.com/> sguilhen(a)redhat.com IM: sguilhen @RedHat <https://twitter.com/redhat> Red Hat <https://www.linkedin.com/company/red-hat> Red Hat <https://www.facebook.com/RedHatInc> <https://www.redhat.com/>

4 years, 8 months

2
2
0 / 0

Keycloak springboot adapter does not allowed to set keycloak.policy-enforcer-config.user-managed-access property

by LE BARO Romain

I try to secure my application with the springboot adapter. After digging inside the source code, i have see something that seems to be a bug inside the implementation or maybe I don’t understand it correctly. Inside the KeycloakAdapterPolicyEnforcer class, the method getPermissionTicket that retrieve permissions for a user contains this : private String getPermissionTicket(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, AuthzClient authzClient, OIDCHttpFacade httpFacade) { if (getEnforcerConfig().getUserManagedAccess() != null) { ProtectionResource protection = authzClient.protection(); PermissionResource permission = protection.permission(); PermissionRequest permissionRequest = new PermissionRequest(); permissionRequest.setResourceId(pathConfig.getId()); permissionRequest.setScopes(new HashSet<>(methodConfig.getScopes())); Map<String, List<String>> claims = resolveClaims(pathConfig, httpFacade); if (!claims.isEmpty()) { permissionRequest.setClaims(claims); } return permission.create(permissionRequest).getTicket(); } return null; } getEnforcerConfig().getUserManagedAccess() != null is always null if you have not defined the keycloak.policy-enforcer-config.user-managed-access property inside the application.properties. But i can't define it because of the PolicyEnforcerConfig class that defines the field userManagedAccess as a UserManagedAccessConfig object @JsonProperty("user-managed-access") @JsonInclude(JsonInclude.Include.NON_NULL) private UserManagedAccessConfig userManagedAccess; but not provides any jackson convertor to passe from String to UserManagedAccessConfig Without this config property set, the adapter just reject every requests. Any workaround for this issue?

4 years, 8 months

1
0
0 / 0

Using plain javascript in javascript based policy

by abhishekumar005＠yahoo.com

Hi all,I am using a Javascript-based policy to verify a user in order to access a particular resource. I want to include an extra check, like, I will call an external API and if that API returns true, then only access will be provided to the user. I tried using XMLHttpRequest to open a get request, but it is not working. In fact, plain js functions like console.log() is also not working in javascript policy. The error show is given below: Unexpected error while evaluating permissions: java.lang.RuntimeException: Failed to evaluate permissions. Caused by: org.keycloak.scripting.ScriptCompilationException: Could not compile 'Mail-policy' problem was: <eval>:7:4 Expected ; but found xhrlet xhr = new XMLHttpRequest(); ^ in <eval> at line number 7 at column number 4 How to do this? Is there any other approach? Regards,Abhishek

4 years, 8 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev August 2019