September 2019 - keycloak-dev - Jboss List Archives

A newly added Hardcoded Role mapper ignores users that have already logged in before

by EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2)

Hello, In our project, we use the "Hardcoded role" mapper within a configured Identity Provider (also a Keycloak instance, in our case the same but a different realm) to describe that each user logging in via Keycloak shall be given a certain role. This works perfectly if the mapper is configured before the first login of the user. The configured role is granted to the (cloned) user when he logs in the first time via Keycloak. But when another "Hardcoded role" mapper is added to configure another role, then the user is not given the other role when he logs in. Only new users logging in the first time get both roles assigned. Is this on purpose or a bug? Mit freundlichen Grüßen / Best regards Frank Thiele Open Source Services 2 - Product Group Customer Success Services (INST-CSS/BSV-OS2) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com<http://www.bosch-si.com%3chttp:/www.bosch-si.com>> external.Frank.Thiele(a)bosch-si.com<mailto:external.Frank.Thiele@bosch-si.com<mailto:external.Frank.Thiele@bosch-si.com%3cmailto:external.Frank.Thiele@bosch-si.com>> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic

5 years, 6 months

6
32
0 / 0

What Data Does Keycloak Collect on Users?

by Andrew Munro

We need to document this. Stian has added a few thoughts to the related Jira. Can you add others? https://issues.jboss.org/browse/KEYCLOAK-8949 -- *Andrew Munro* Senior Technical Writer Cell: 978-844-0637 Red Hat <https://www.redhat.com> <https://www.redhat.com>

5 years, 7 months

1
1
0 / 0

User Profile design proposal (also known as Profile SPI and user validation)

by Stian Thorgersen

https://github.com/keycloak/keycloak-community/blob/master/design/user-pr...

5 years, 7 months

2
2
0 / 0

Moving to standardized Promises

by Jon Koops

Hi all, I've created some pull requests and tasks for moving towards standardized Promises instead of Keycloak's own custom implementation in order to start a discussion about how to move forward. There has already been some discussion about plans to migrate away from the current situation in KEYCLOAK-9346 <https://issues.jboss.org/browse/KEYCLOAK-9346>. I believe the first order of business to start migrating towards a better place would be to start informing Keycloak's users about the change. In order to do so I propose to make the following changes: 1. The documentation of the JavaScript Adapter should reflect the preference of using the native promises. We can accomplish this by updating the examples used and providing additional documentation of the promiseType field. 2. Users that are currently using Keycloak should be informed that standardized promises are preferred and that they should move away from the current implementation. In order to do so a deprecation warning should be logged in the console with instructions on how to migrate their existing code. I've created the following issues and pull requests for this: *Updates to the documentation preferring promiseType native* - https://github.com/keycloak/keycloak-documentation/pull/742 - https://issues.jboss.org/browse/KEYCLOAK-11436 *Updates to the adapter to inform users of the deprecation* - https://github.com/keycloak/keycloak/pull/6318 - https://issues.jboss.org/browse/KEYCLOAK-11435 Furthermore I would like to start a discussion on these changes and how to move forward after. Feedback on this is greatly appreciated! Regards, Jon

5 years, 7 months

4
11
0 / 0

Proposal for new hostname provider, supporting different front/back channel URLs for adapters (and third-party libraries)

by Stian Thorgersen

See https://github.com/keycloak/keycloak-community/blob/master/design/hostnam... for a proposal of a solution that would make it easier to configure Keycloak as well as add support for different front/back channel URLs both for Keycloak adapters and third-party libraries.

5 years, 7 months

2
3
0 / 0

Override Refresh token lifespan per client

by 田畑義之 / TABATA，YOSHIYUKI

Hello, In cloud-native application systems, there are various client applications and those applications are not the same level (i.e. security level, alliance level, development level). And generally, a realm manager or a resource server manager wants to set a different timeout to tokens (access token/refresh token) per client. For example, for a client which wants to minimize authentication considering usability, we set the timeout of a refresh token longer enough. For a client which wants to refresh tokens periodically to mitigate the token interception attack, we set the timeout of a refresh token according to the client requirement. Currently, the timeout of an access token can be overridden per client. However, the timeout of a refresh token (including offline token) cannot be overridden per client. We'd like to be able to override the timeout of a refresh token (including offline token) per client. We'd already tried to implement this just like access token lifespan overriding, and create JIRA ticket and PR, but Stian recommended that we should discuss this use case and how to implement in ML, so I opened this thread. For single sign-on purpose, it is useful to share sessions among clients in a realm. However, when we implement this, sessions are no longer shared among clients depending on the settings. And this is useful for API management purpose because, for API management purpose, tokens (= sessions) are associated with each client, and should be managed per client. What do you think about this feature? I would be very happy if you community gives any kind of comment on that. JIRA ticket is the following. https://issues.jboss.org/browse/KEYCLOAK-10907 PR is the following. https://github.com/keycloak/keycloak/pull/6309 Regards, Yoshiyuki Tabata Hitachi, Ltd.

5 years, 7 months

4
10
0 / 0

Using export and import for backup and restore

by Sebastian Laskawiec

Hey, In the next few days we'll be looking into implementing backup and restore functionality for the Keycloak Operator. One of the options we are considering, is using an export/import functionality. An Operator could export all realms into a JSON file and put it somewhere in a Persistent Volume. I was wondering, what do you think about this approach? Are there any guarantees around export/import functionality (especially with the regards to its format)? Also, would it work for exporting JSON file from Keycloak and importing it to RHSSO? Thanks, Sebastian

5 years, 7 months

4
7
0 / 0

Need inputs on scenario related to Keycloak SAML Broker IDP SSO

by abhijit gokhale

Hi Team, In our current workflow of customer onboarding, we are provisioning customer users from their IDP (like ADFS) into Keycloak via script. As part of this process once user is created in Keycloak, the script creates IDP linking for the user and for this purpose script uses the Keycloak username field and use it in Provider User Id and Provider Username fields of IDP linking. As Keycloak stores the username in lowercase format the same value with lowercase gets reflected in the Provider User Id field (e.g. abhigokhale(a)gmail.com). The problem is if the SAML response contain Name ID with mix case (say Abhigokhale(a)gmail.com) then Keycloak displays the message that user with the same email already exist. Please note, we are using First login flow with only Create User If Unique authenticator enabled and rest as disabled. I would like to get your opinion if Keycloak shall handle this scenario as its storing the username with lowercase. Thanks & Regards, Abhijit

5 years, 7 months

1
0
0 / 0

User Session Reset

by Мартынов Илья

Hello, I am trying to implement the following scenario with KC. We have two applications, SP1 and SP2, that use KC. KC has identity broker pointing to external IDP. Desired scenario: 1. User agent goes to SP1, he's being redirected to KC and then to extIDP 2. User authenticated in extIDP, and being redirected to KC and then to SP1 with some attributes from extIDP 3. SP1 creates user entity in SP2 basing on attributes from extIDP and attributes collected by SP1 4. User entity in SP2 is synced to user federation store used by KC. 5. User should be able to SSO to SP2. Session in SP2 should obtain attributes set by SP1. The problem is 2 different user entities (instances of UserModel) created at KC at step #2 and #4. I plan to drop 1st entity, and set identity federation with extIDP for 2nd entity. But we also need to change user session in KC, it should contain 2nd user entity data. Otherwise SSO to SP2 won't work. Surprisingly, I've found a method org.keycloak.models.UserSessionModel#restartSession that looks like does the job. I plan to add custom Authenticator and call session reset from there. How do you think, will it work? Thank you

5 years, 7 months

1
0
0 / 0

Identity Provider Claim to Role Mapper new features

by EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2)

Hi, I would like to contribute features to the Identity Provider Claim to Role Mapper. 1.) Regex support for claim values: My suggestion for this feature is to introduce a new checkbox in the Claim to Role Mapper to turn regex support for claim value on or off. By default the regex box is unchecked, so currently existing mappers won't change. 2.) Support for multiple claims: Instead of providing one claim and one claim value the idea is to provide a map of claim -> claim value. The role will be assigned when all provided claims match the token. Is it okay to change the existing Claim to Role Mapper for this feature or should I rather introduce a new mapper for this, e. g. Multiple Claim to Role Mapper? What are your thought on that? Do these two features have a chance to be contributed? Best regards Benjamin Weimer INST-CSS/BSV-OS2 Tel. +49 30 726112-0

5 years, 7 months

2
13
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev September 2019