Re: [keycloak-dev] [External] keycloak-dev Digest, Vol 64, Issue 3

Hi Team , We have done standalone configuration , but we are struggling with Domain Cluster mode . We have Angular JS Application ,we have LB in front of key cloak could you please suggest or guide how configuration should be done . Also may use autoscaling in our production Environment ,please suggest is Domain Cluster Mode suitable for this and if yes how to configure it . Thanks , Upendra +91 9765552818 -----Original Message----- From: keycloak-dev-bounces(a)lists.jboss.org <keycloak-dev-bounces(a)lists.jboss.org&gt; On Behalf Of keycloak-dev-request(a)lists.jboss.org Sent: Wednesday, October 3, 2018 12:41 PM To: keycloak-dev(a)lists.jboss.org Subject: [External] keycloak-dev Digest, Vol 64, Issue 3 Send keycloak-dev mailing list submissions to keycloak-dev(a)lists.jboss.org To subscribe or unsubscribe via the World Wide Web, visit https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail... or, via email, send a message with subject or body 'help' to keycloak-dev-request(a)lists.jboss.org You can reach the person managing the list at keycloak-dev-owner(a)lists.jboss.org When replying, please edit your Subject line so it is more specific than "Re: Contents of keycloak-dev digest..." Today's Topics: 1. Create "online session" from offline session (Niels Bertram) 2. Re: Column Sorting (Stan Silvert) 3. Re: Create "online session" from offline session (Marek Posolda) 4. Re: Create "online session" from offline session (Niels Bertram) 5. PR for adding 'roles' and 'web-origins' client scopes (Marek Posolda) 6. Re: Create "online session" from offline session (Marek Posolda) ---------------------------------------------------------------------- Message: 1 Date: Tue, 2 Oct 2018 16:24:20 +1000 From: Niels Bertram <nielsbne(a)gmail.com&gt; Subject: [keycloak-dev] Create "online session" from offline session To: keycloak-dev <keycloak-dev(a)lists.jboss.org&gt; Message-ID: <CAPLPyg=MqBHWsA0E2-Sd=UbYh-E+mHAb33F=cOUv9xSkxzPhxg(a)mail.gmail.com&gt; Content-Type: text/plain; charset="UTF-8" Hi devs, we are trying to turn an offline session back into an "online session" for which we can generate cookies and send them to the clients browser. I tried to create a user session with AuthenticationManager but for some reason the created session is not showing up as a proper in the user account management section. Is there anything that needs to happen after this session is created to make it a normal user session? AuthenticatedClientSessionModel clientSession = session.sessions().createClientSession(realm, client, offlineSession); We have a mobile app that uses offline_access to create an "always logged" in experience for the app user. However when we open a SSO-enabled website in the app (WebView), there is no KEYCLOAK_SESSION cookie to allow the web page to initiate a successful pre-auth check. We wrote a custom resource which we call in our webview to "redirect" the user to an SSO enabled site: 1. authenticate the user AuthResult auth = new AppAuthManager().authenticateBearerToken(session) 2. load a valid userSession UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState()); 3. create the session cookies AuthenticationManager.createLoginCookie(session, realm, user, userSession, ctx.getUri(), ctx.getConnection()); 4. forward the user to the SSO enabled website 5. SSO enabled website would do a normal pre-auth check with prompt=none There was a similar conversation about the "lost" session in KEYCLOAK-4201 <https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_bro...;, but that one did not go as far as creating a new session. Anyone of you got any clever idea on how do "preload" a valid SSO session into a WebView? Cheers, Niels PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3 ------------------------------ Message: 2 Date: Tue, 2 Oct 2018 06:58:20 -0400 From: Stan Silvert <ssilvert(a)redhat.com&gt; Subject: Re: [keycloak-dev] Column Sorting To: keycloak-dev(a)lists.jboss.org Message-ID: <fcc562ce-4a46-f9a6-09ff-c21c48490cd9(a)redhat.com&gt; Content-Type: text/plain; charset=utf-8; format=flowed If you have a PR for this we would welcome it.? However, it might be quite awhile before it can be merged into the code base because we are fast approaching an extended feature freeze. Stan On 10/1/2018 9:05 PM, KevinO wrote: ------------------------------ Message: 3 Date: Tue, 2 Oct 2018 16:33:00 +0200 From: Marek Posolda <mposolda(a)redhat.com&gt; Subject: Re: [keycloak-dev] Create "online session" from offline session To: Niels Bertram <nielsbne(a)gmail.com&gt;,keycloak-dev <keycloak-dev(a)lists.jboss.org&gt; Message-ID: <0ca41d60-abd2-f716-91ae-9ac0ba00444d(a)redhat.com&gt; Content-Type: text/plain; charset=utf-8; format=flowed I suggest to use the flow like this: 1) Exchange the offline token for the 3 tokens, which will include the triplet of (access token, id token, offline token). 2) Then you can pass the just retrieved IDToken in the authentication request in the "id_token_hint" parameter. 3) Then you will need to create Authenticator (see our docs/quickstarts for more details), which will be able to see if "id_token_hint" was sent and then verify this token and authenticate user if it was ok. You can probably use some existing code from IDToken introspection endpoint. If parameter is not used, authenticator can be just ignored during the authentication flow. 4) As last step, you will need to add this authenticator to the browser authentication flow. This will cause that if IDToken is sent, it will be able to use it to authenticate the user and hence new UserSessionModel (+cookies and all of this) will be properly created by Keycloak itself. If you manage to make this working, we will be happy if you contribute it in the PR :) As this is described in the OIDC specification (see https://urldefense.proofpoint.com/v2/url?u=https-3A__openid.net_specs_ope... ), but we don't yet implement it. If you don't want to send PR, you may implement it a bit easier and differently in a non-OIDC standard way (EG. pass the offline_token directly instead of IDToken in step 2). Marek On 02/10/18 08:24, Niels Bertram wrote: ------------------------------ Message: 4 Date: Wed, 3 Oct 2018 01:15:05 +1000 From: Niels Bertram <nielsbne(a)gmail.com&gt; Subject: Re: [keycloak-dev] Create "online session" from offline session To: Marek Posolda <mposolda(a)redhat.com&gt; Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org&gt; Message-ID: <CAPLPygkndifFFNXr27ic8MPiy_oc7Z3wM72UMGHGMnamfducHA(a)mail.gmail.com&gt; Content-Type: text/plain; charset="UTF-8" Thanks for the response Marek. I implemented a custom authenticator before so that makes all total sense. The parts I am a bit worried about is: a) the GET implementation would require use to send the IDToken unprotected in the URL (POST is fine) b) a mobile app from which we want to initiate the "sign me in and then redirect me to another website" would effectively need to whitelist every possible URL that it can redirect to. If I send a PR to latest Keycloak, any chance that can be patched into current or next version of RH-SSO? Cheers, Niels On Wed, Oct 3, 2018 at 12:33 AM Marek Posolda <mposolda(a)redhat.com&gt; wrote: ------------------------------ Message: 5 Date: Tue, 2 Oct 2018 21:25:34 +0200 From: Marek Posolda <mposolda(a)redhat.com&gt; Subject: [keycloak-dev] PR for adding 'roles' and 'web-origins' client scopes To: &quot;keycloak-dev(a)lists.jboss.org&quot; <keycloak-dev(a)lists.jboss.org&gt; Message-ID: <c06346c8-e686-4049-c744-5467da8fd7b4(a)redhat.com&gt; Content-Type: text/plain; charset=utf-8; format=flowed I've sent PR https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_keycloak_... . Summary of changes: - The roles and allowed-origins are not added automatically to the access tokens now. Instead of it, the PR introduces 2 default client scopes: 'roles' and 'web-origins' which adds them - Client scope 'web-origins' adds allowed-origins to the access token similarly like it was before. So the only advantage is, that it is possible to remove clientScope/protocolMapper if you don't need web origins in the token - Client scope 'roles' contains protocol mappers for add roles to the access tokens. By default, they are added to the claims "realm_access" and "resource_access" exactly as it was before. However it is easier to move to completely different claims. The PR doesn't introduce new protocol mapper implementation for roles, but uses the existing implementations UserRealmRoleMappingMapper and UserClientRoleMappingMapper. As a side-effect, it fixes some bug in those mappers claimed by many community users - https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_bro... - PR introduces new protocol mapper implementation AudienceResolveProtocolMapper, which adds audience of all the clients, for which at least one client role is available in the token. This is added by default to the 'roles' client scope - There is new switch "Include in Token Scope" on the Client Scope. It is applicable only for OIDC clients. When it is off, the client scope is not added to the "scope" in the access token. It is used for both 'roles' and 'web-origins' scopes, so those are not in the token by default now. - There is some minor addition to ProtocolMapper SPI. Protocol mapper implementations has "priority" now. This is needed, so that it is ensured that for example we first "compute" the roles to be put in the token (including composite roles etc), then eventually add/move some roles through HardcodedRoleMapper or RoleNameMapper, then figure the audiences and finally move the roles to proper place in the token (which is not necessarily hardcoded to "realm_access" and "resource_access" claims as it was before). - Migration is handled, so that 'roles' and 'web-origins' scopes are automatically added during migration and they are added to all the OIDC confidential/public clients. WDYT? Marek ------------------------------ Message: 6 Date: Wed, 3 Oct 2018 09:10:31 +0200 From: Marek Posolda <mposolda(a)redhat.com&gt; Subject: Re: [keycloak-dev] Create "online session" from offline session To: Niels Bertram <nielsbne(a)gmail.com&gt; Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org&gt; Message-ID: <fd2a86b5-0550-2c13-d4f4-e9cbbea62864(a)redhat.com&gt; Content-Type: text/plain; charset=utf-8; format=flowed On 02/10/18 17:15, Niels Bertram wrote: I see. This makes sense and we support sending POST request to the initial Authentication endpoint. Maybe you can add a flag to the authenticator like "Allow POST method only" to specify if it accepts just POST or allow both POST and GET? Flag can be set to ON by default (hence accept only POST). Yes, once the PR is accepted, it always go to the latest Keycloak upstream and latest Keycloak always "turns" after some time to RH-SSO. Some details about this https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_sup... . Just a note that we're close to feature freeze for Keycloak 4.x (RHSSO 7.3), so if you want it in RHSSO 7.3, you need to be a bit quick though :) And even then no guarantee as we will need some time for PR review etc. Marek ------------------------------ _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail... End of keycloak-dev Digest, Vol 64, Issue 3 ******************************************* ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. ______________________________________________________________________________________ www.accenture.com