User Device Activity
by Pedro Igor Silva
Hi All,
I apologize for the long email :)
The new account console should provide a nice feature (see attachment) to
help users to track their devices activity. I think the main goal is not to
be 100% accurate (mainly because device identification is not an easy task)
but let users know about:
* The devices the user is using to authenticate
* Suspicious behavior either from devices that are not known or based on
the last time a device was used to authenticate
I would like to share what I've done so far and what the next steps could
be. I've submitted a WIP [1] that basically relies on the User-Agent header
to obtain info about devices.
Device identification is based on the OS and Device (if available from user
agent), where requests from the same IP are considered as being from the
same device. If the IP is different, we check session id, if it is the
same, the request is from the same device. If you use a different browser
you also have that grouped and available as a list from the device
representation. It is worth mentioning that device management is only
performed when a session is created in Keycloak, or it is used when
processing a request. One thing to consider is that if running behind a
proxy, Keycloak should be able to obtain the original client address from a
header.
By using the device/client IP as an identifier, I'm also trying to avoid
creating a new device if the session is still active. If so, we assume that
the request comes from the same device and we just update that info, so
that subsequent requests will match by IP.
However, if the session ends and the IP changes, a new device will be
created (if the device session was not updated). To overcome that, I think
we could:
* Support a specific cookie to identify devices (UUID)
* Allow clients connecting to Keycloak to provide a device fingerprint
(sent as a header, for instance), with restrictions on which clients can do
that
* Geolocation
* Anything else?
The first two options are useful depending on the client.
For browsers, cookies are more natural. Yes, users can clear browser data.
but in the worst case, he will get a new device entry and we'll show that.
Still, a good option IMO.
Device fingerprint may be useful for mobile apps or other types of clients
that are capable of providing a unique and trustworthy identifier. It can
be used for browsers too, but I think this implies more privacy/security
concerns.
Regarding the third one above (geolocation), I'll skip for now as we can
live without it in a first version of the feature. Although it would enrich
even more the functionality as well as the discussions happening around MFA
and adaptive authentication.
Data purging is another concern. Right now we don't have anything at this
regards, but I would like to expire entries based on the last time they
were accessed. Or maybe this something we should just keep and admins
should be responsible for purging data as it may imply privacy and security
concerns that are specific to a particular use case.
For last, I think we should probably have a switch for this feature. So
admins can enable/disable it accordingly with their needs. Not sure if this
kind of stuff makes always sense.
[1] https://github.com/keycloak/keycloak/pull/6217
5 years, 5 months
X.509 Authenticator - New User Identity Source
by Nemanja Hiršl
Hi,
Current implementation of X.509 Authenticator uses a number of different
mappings of a certificate to user identity.
None of provided mappings can guarantee uniqueness. It is up to CA to
choose which fields to include in SubjectDN and SAN and there might be
some unique data. In these cases we can use provided mappers to identify
users. However, if there's a need to support certificates from different
CAs, with unrelated usage of SubjectDN and SAN fields those mappers are
not sufficient.
One way to uniquely identify user is to use certificate thumbprint. For
the solution I'm working on, we have implemented SHA256-Thumbprint
mapper and it is giving us expected results.
Do you think sha256 thumbprint mapper would be a useful addition to
already existing mappers?
Should I prepare appropriate PR?
The other approach might be combination of serial number and issuer.
According to RFC 5280 the issuer name and serial number identify a
unique certificate.This is something I haven't tried, but would like to
hear your opinion.
Thanks.
References:
1. There's a nice explanation on stackoveroflow of what can be used to
uniquely identify users:
https://stackoverflow.com/questions/5290571/which-parts-of-the-client-cer...
2. There's also a discussion here:
https://issues.jboss.org/browse/KEYCLOAK-9610
3. RFC 5280: https://tools.ietf.org/html/rfc5280#section-4.1.2.2
Best regards,
Nemanja
5 years, 5 months
All PR's failing
by Stan Silvert
The adapter tests are timing out on all new PR's.
Hynek, I'm told that you might be able to help?
Stan
5 years, 5 months
Custom Social Login with qr code instead of a link (feature request?)
by kkzxak47
Hi,
I'm new to keycloak and trying to implement a SSO service.
I have successfully implemented a 3rd party identity provider and it
appeared in the "social.providers" list, it's working fine.
Now I want to take a step further. By clicking the social login button,
browser will take me to another IdP's login page which is a qr code. I want
to skip this "click" step and show that qr code directly on the login page
side by side with the username login form, like this:
[image: bc818ea6-0100-4b19-ad6b-a42078f6266e.png]
I achieved it in a hacky way: "click" that button and load that page in
an iFrame with javascript.
The rationale is: This is THE login page and we finish login process
right here, click "Log in" or scan the qr code. Period.
But this method is not ideal for two reasons,
First, I can't "click" the button on the page directly because it
will break username/password login form, that way if I then click "Log in"
button it will tell me: "Action expired. Please continue with login now."
So I have to replicate current login page in a new tab (a new tab session)
and grab the link from there to avoid breaking login form (in javascript).
Second, this will not work when user inputed wrong
username/password combination, then the url would change to for example "
https://keycloak.example.com/auth/realms/test/login-actions/authenticate?...
<https://keycloak.xsts.xyz/auth/realms/xs-internal/login-actions/authentic...>",
here replicating the page will not give me a new tab session. So I have to
disable the "click" feature in this page or the username/password form
would again break:
[image: 3e27aef4-ab08-4e98-a6ad-06325d9f9de0.png]
So I was wondering if there is a proper way to achieve this, what is
your thought. Or in your opinion this is not a good use case at all and I
should stop right here.
I read the manual carefully so I felt reluctant to post this question
here. But I got no response from keycloak-user mailing list in two weeks so
this is my last resort.
Thank you for your attention.
Victor Z.
5 years, 5 months
KeyCloak and MongoDB
by Federico Punzo
Hi,
I tried keycloak-users first but got no response...
I would like to know (for a system where we are evaluating to use KeyCloak)
if MongoDB is supported as KeyCloak's underlying database, or only
relational DBMSs are supported.
Thanks in advance!
Federico Punzo
--
The information contained in this e-mail may be confidential. It has been
sent for the sole use of the intended recipient(s). If the reader of this
message is not an intended recipient, you are hereby notified that any
unauthorized review, use, disclosure, dissemination, distribution or
copying of this communication, or any of its contents, is strictly
prohibited. If you have received it by mistake please let us know by e-mail
immediately and delete it from your system. Many thanks.
La información
contenida en este mensaje puede ser confidencial. Ha sido enviada para el
uso exclusivo del destinatario(s) previsto. Si el lector de este mensaje no
fuera el destinatario previsto, por el presente queda Ud. notificado que
cualquier lectura, uso, publicación, diseminación, distribución o copiado
de esta comunicación o su contenido está estrictamente prohibido. En caso
de que Ud. hubiera recibido este mensaje por error le agradeceremos
notificarnos por e-mail inmediatamente y eliminarlo de su sistema. Muchas
gracias.
5 years, 5 months
Infinispan error during update in ha configuration
by Мартынов Илья
Hello!
I have Keycloak 4.5.0.Final deployed in standalone-ha configuration in k8s
cluster. When I try to update Keycloak to version 6.0.1, the following
happens:
1. K8s starts new pod with version 6.0.1
2. Old pod still running, it will be terminated on successfull readiness
probe of the new pod
3. New pod discovers old pod via JGroups, cache synchronization started
4. Exception in new pod:
02-07-2019;13:34:29,220 WARN [stateTransferExecutor-thread--p25-t1]
org.infinispan.statetransfer.InboundTransferTask ISPN000210: Failed to
request state of cache work from node idp-6569c544b
-hsd6g, segments {0-255}: org.infinispan.remoting.RemoteException:
ISPN000217: Received exception from idp-6569c544b-hsd6g, see cause for
remote stack trace
at org.infinispan(a)9.4.8.Final
//org.infinispan.remoting.transport.ResponseCollectors.wrapRemoteException(ResponseCollectors.java:28)
...
Caused by: java.io.IOException: Unknown type: 132
at
org.infinispan.marshall.core.GlobalMarshaller.readNonNullableObject(GlobalMarshaller.java:681)
at
org.infinispan.marshall.core.GlobalMarshaller.readNullableObject(GlobalMarshaller.java:355)
at
org.infinispan.marshall.core.BytesObjectInput.readObject(BytesObjectInput.java:40)
Looks like this exception blocks further Keycloak startup, because nothing
happens in logs afterwards. Also, my rest service deployed as JAX-RS bean
also doesn't respond, so pod is not treated as alive by Kubernetes.
Please help.
5 years, 5 months
