always-refresh-token and admin rest api
by Benjamin Hansmann [alphaApps]
Greetings. Following up my post from yesterday I have more specific
questions.
I plan to use keycloak with my REST service for mobile apps as follows:
Option A:
1 A user sends a REST registration request to my webapp and the webapp
adapts the request to the local keycloak admin rest api.
2 When the user is created he can then authenticate to keycloak via the
direct access grant rest api and receives an access token.
3 The issued access token should be valid for only one request, thus I
specified the option "always-refresh-token": true in my webapp's
keycloak.json file.
Option B:
1 Mobile app forms the HTTP POST request to the user registration page.
2 and 3 as in Option A
Option C:
1 Use a user federation provider and create users in my webapp's
datasource.
2 and 3 as in Option A
Question regarding all options:
How is the "always-refresh-token" option supposed to work? I supplied
the option as stated above but I am still able to reuse access tokens
that were issued from the direct access grant service. Another question
is how this token refreshing should be implemented on the client side.
Do I have to invoke on the direct access grant api to obtain a new token
for every request or can the issued "refresh_token" be used on
subsequent requests and a new refresh token is somehow included in the
response of my service?
Question regarding option C:
When creating users in my own database which serves as a federation
provider I loose some keycloak functionality like Email verification and
so on, right?
I am also not sure which option to use. What would you suggest.
Feature request:
It would be great to have a keycloak REST API for registration and user
self-service in order to fulfill the demands of mobile applications.
Best regards,
Benjamin
--
[alphaApps] mobile development
Benjamin Hansmann
Nosthoffenstraße 46
D-40589 Düsseldorf
Germany
Mobile: +49 (0) 177 249 47 47
Email: b.hansmann(a)alphaapps.de
9 years, 10 months
keycloak admin-client
by Benjamin Hansmann [alphaApps]
When using the keycloak admin-client library in my servlet, it seems to
fail unmarshalling the JSON authorization response. I think that
admin-client/keycloak-core relies on resteasy-jackskon-provider where my
servlet uses resteasy-jackson2-provider. Maybe this is the root of the
cause. Any ideas?
17:00:50,910 ERROR [io.undertow.request] (default task-4) UT005023:
Exception handling request to /services/users:
org.jboss.resteasy.spi.UnhandledException:
javax.ws.rs.client.ResponseProcessingException:
javax.ws.rs.ProcessingException:
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException:
Unrecognized field "access_token" (class
org.keycloak.representations.AccessTokenResponse), not marked as
ignorable (9 known properties: "notBeforePolicy", "otherClaims",
"tokenType", "token", "expiresIn", "sessionState", "refreshExpiresIn",
"idToken", "refreshToken"])
at [Source: org.apache.http.conn.EofSensorInputStream@31df042a; line:
1, column: 18] (through reference chain:
org.keycloak.representations.AccessTokenResponse["access_token"])
--
[alphaApps] mobile development
Benjamin Hansmann
Nosthoffenstraße 46
D-40589 Düsseldorf
Germany
Mobile: +49 (0) 177 249 47 47
Email: b.hansmann(a)alphaapps.de
9 years, 10 months
Securing Pentaho in Tomcat
by Edem Morny
Hi,
I'm wondering if anybody has any tips on replacing Pentaho's login with
SSO via keycloak. Apparently it works with CAS, but although I tried to
follow the instructions on installing the tomcat adapters for keycloak,
I haven't had any luck.
Our application is already secured via keycloak, but needs integration
with Pentaho dashboards and document management via Alfresco, so I was
hoping keycloack can be all that we need for single sign-on. As of now
Pentaho is the more critical need.
Any pointers will really be appreciated.
--
Edem Morny
CTO,
Queauji Consulting Ltd
==================
Health Care Solutions and Business Intelligence
9 years, 10 months
REST client credentials
by Hernan Dario Metaute Sarmiento
Hi
I'm currently developing an application that needs to access some user
data that is stored on the keycloak database. I could just write a database
access and query the user data myself (I need to get user name, last name,
email and the data from the registration login form that is stored on a
keycloak database)
As a general info I'm using a mongo database for my app data and a separate
database in mongo for keycloak specific data
I have been trying to access the rest API detailed here
http://docs.jboss.org/keycloak/docs/1.1.0.Final/rest-api/admin/realms/%7B...
in specific I'm trying to make a request like
GET /admin/realms/{realm}/users?search=firstName=John
but I'm having trouble getting the credentials right (I have an admin
username and admin password for the master realm)
I don't see in the documentation how to set the credentials as headers or
as payload on the GET request.
Could someone give me some hints as to how could I leverage the API for
this purpose?
Thanks in advance for your tome
--
*Hernán Metaute*
Arquitecto
*Ceiba Software *(57 4) 444 5 111 Ext 110
Cl 8 B 65 - 191 Of 409, Centro Empresarial Puertoseco – Medellín, Colombia
Visite nuestro sitio www.ceiba.co <http://www.ceiba.com.co/>
________________________________________
BEste mensaje, incluido su adjunto, es confidencial y puede ser
privilegiado. Si usted no es su destinatario, por favor notifique al
emisor, luego destruya la comunicacion y todas las copias. Usted no debe
copiar, distribuir y/o revelar esta comunicacion parcial o totalmente sin
autorización del emisor.
9 years, 10 months
Re: [keycloak-user] Tomcat with 2 application
by Henk Laracker
Carlos,
If you search in the maillist, you will see that there is a bug in keycloak which has to with cors, we are waiting for a fix.
Regards,
Henk
From: Carlos Feria <carlosthe19916(a)gmail.com<mailto:carlosthe19916@gmail.com>>
Date: Monday 20 April 2015 17:19
To: Henk Laracker <henk.laracker(a)planonsoftware.com<mailto:henk.laracker@planonsoftware.com>>
Subject: Re: [keycloak-user] Tomcat with 2 application
Hello, i have the same problem as you, could you solve your problem? please tell me hoy you solve your problem with No 'Access-Control-Allow-Origin'
2015-04-12 11:35 GMT-05:00 Henk Laracker <Henk.Laracker(a)planonsoftware.com<mailto:Henk.Laracker@planonsoftware.com>>:
Hi,
I have a tomcat 7 running with two web applications deployed , called ROOT and web client. I created a realm in keycloak and two applications. Configures tomcat with the correct json files. When I log in in Root it works fine, when I login in web client it works fine. But the following is the case. Both application are not owned by my , so I can not change the code. I login in ROOT, this application connects to web client through a rest call, this restcall results in a redirect to keycloak because I’m not logged in. the result of this is :
XMLHttpRequest cannot load https://keycloak-accdev.planoncloud.com/auth/realms/auth/protocol/openid-.... No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://auth-proddev.planoncloud.com' is therefore not allowed access.
I know that this has something todo with CORS, so I added the settings:
"enable-cors" : true,
"cors-max-age" : 1000,
"cors-allowed-methods" : "POST, PUT, DELETE, GET”,
To the json file. And added the keycloak url to web origin of both apps in the keycloak manager, but still I got the same result. What do I do wrong? Please advice.
Henk
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Carlos E. Feria Vila
9 years, 11 months
User attributes - checkbox
by Libor Krzyžanek
Hi,
I’d like to use user attributes to store information like “Subscribe to newsletter” which is obviously checkbox.
How should I implement it in my account.ftl?
I have in account.flt:
<div class="form-group">
<div class="checkbox">
<label for="user.attributes.newsletter" class="control-label">
<input type="checkbox" class="form-control" id="user.attributes.newsletter" name="user.attributes.newsletter" <#if account.attributes.newsletter??>checked</#if>/>
${msg("newsletter")}
</label>
</div>
</div>
When I tick it and submit form everything is OK but when untick it and submit then checkbox is still checked.
I guess it’s because checkbox state is included in HTTP Form Data only when it’s checked.
How to handle this in KC UI ?
I remember that other frameworks used some hidden fields to post the information either if checkbox was ticked or not. But I’m not sure how KC GUI framework handle this use case.
Thanks,
Libor Krzyžanek
jboss.org <http://jboss.org/> Development Team
9 years, 11 months
Securing a REST service with Keycloak?
by Benjamin Hansmann [alphaApps]
Greetings. I am currently developing a RESTful web service for mobile
applications and was looking for a suitable solution to secure it.
My requirements are:
R1 Users can register over a REST API and have to verify their Email
address
R2 Users can manage their accounts over a REST API (change password
etc.)
R3 Other requests than registering need authentication
R4 Logging in should work native from the mobile app and not through a
website
R5 Data on the transmission line should be protected from eavesdropping
and other man-in-the-middle attacks (met: https with certificate
truststore on the client side)
R6 The service should be resistant to replay attacks
R7 The service should be resistant to brute-force attacks (met:
keycloak)
R8 (optional) Support OAUTH 2.0 to let a custodian perform actions on
behalf of the registered user (met: keycloak)
I set up a test environment on Debian running Wildfly 8.2 and Keycloak
1.1.0. My web application to be secured is based on the restEasy JAX-RS
implementation and is already configured to use the Keycloak
authentication subsystem and security annotations.
At this point I am not sure if keycloak is the right way to go. As of my
current understanding I would do it this way:
a Create an application in my keycloak realm that only supports bearer
token
b Maybe have a short token timeout
c Use the direct access grant API to obtain token
d Do some REST service requests with the issued token until it expires
and request a new one
But I have my concerns with this approach:
C1 Is a short token timeout sufficient to protect against replay attacks
(R6)? Does the keycloak implementation provide some additional protocol
features like the counters used in HTTP Digest authentication or
OATH-HOTP solutions? Maybe I just did not understand the Access Code and
Access Token mechanism...
C2 Does keycloak provide REST functionality for R2 and R3 (registration
and user self-service)
C3 Is there another way to authenticate to obtain a token than
Basic/x-www-form-urlencoded
C4 The user database is separated from my application's database. I've
seen that I could implement my own User Federation Provider, but is
there another way to maybe add user profile information to the keycloak
user database so that user information exists in only one place? I would
also like the idea where keycloak would use a user table in my
application's database...
C5 I could imagine a solution that requires Digest Authentication for
users and to support OAUTH 2.0 for custodians but as far as I know this
is not possible with keycloak.
I would be grateful to get some advice on this. I am new to the Java EE
and REST world and want to make my REST service as secure as possible
because it will expose sensitive data and also will incorporate
financial transactions. Maybe I am on the wrong track here...
Thanks in advance.
Best regards
Benjamin
--
[alphaApps] mobile development
Benjamin Hansmann
Nosthoffenstraße 46
D-40589 Düsseldorf
Germany
Mobile: +49 (0) 177 249 47 47
Email: b.hansmann(a)alphaapps.de
9 years, 11 months
Get user roles in AngularJS from WildFly adapter
by Thorsten
I have a WAR application that packages some JAX-RS services and an
AngularJS UI talking to them. No classic HTML/JSF stuff at all.
The app is running on WildFly and the Keycloak adapter with authentication
is already working and I can e.g. secure the JAX-RS endpoints with
@RolesAllowed etc.
My question is now what the recommended way is to get user role information
in the AngularJS part of the app? Since the authentication is not done in
JS I don't think keycloak.js would work? Can/should the keycloak.js adapter
get combined with the WildFly adapter or is there a different way to get
something like kc.hasRealmRole() to work?
Thanks
9 years, 11 months
ldap novell eDirectory patch
by fiorenzo.pizza@ict-group.it
Hi,
to support Novell eDirectory GUID, you can modify some lines of codes..
*1) [project keycloak-model-api] -> class:
org.keycloak.models.LDAPConstants*
- adding a new vendor constant ( public static final String
*VENDOR_NOVELL_EDIRECTORY="edirectory"*;)
*2) [project keycloak-picketlink-ldap]**->**class:
**org.keycloak.picketlink.ldap.PartitionManagerRegistry*
// RHDS is using "nsuniqueid" as unique identifier instead of "entryUUID"
// Novell eDirectory use "guid"
if (vendor != null && vendor.equals(LDAPConstants.VENDOR_RHDS)) {
ldapStoreBuilder.uniqueIdentifierAttributeName("nsuniqueid");
} else if (LDAPConstants.VENDOR_TIVOLI.equals(vendor)) {
ldapStoreBuilder.uniqueIdentifierAttributeName("uniqueidentifier");
}*else if
(LDAPConstants.VENDOR_NOVELL_EDIRECTORY.equals(vendor)) {**
**ldapStoreBuilder.uniqueIdentifierAttributeName("guid");**
** }*
*3) [project keycloak-forms-common-themes] -> file: users.js*
$scope.ldapVendors = [
{ "id": "ad", "name": "Active Directory" },
{ "id": "rhds", "name": "Red Hat Directory Server" },
{ "id": "tivoli", "name": "Tivoli" },
* { "id": "edirectory", "name": "eDirectory " },*
{ "id": "other", "name": "Other" }
];
What do you think about? I need more time to test my patch.. the
keycloak project not compiles in my workspace...
Best Regards
Fiorenzo Pizza
9 years, 11 months