Custom Required Action
by Bruno Palermo
Hi,
I'm trying to develop a custom required action to verify the user email without relying on the user session and allow the confirmation link to live longer.
Let's say I send the user email as query parameter on the confirmation link.
It's possible to search the database directly using this email and avoid using 'RequiredActionContext getUser()'?
Thanks,
Bruno
9 years
IdP-initiated saml request to saml SP which uses keycloak saml tomcat 8 adapter without configure tomcat realm
by Zou, Jay (HQP)
Hi keycloak experts,
I am using keycloak saml tomcat 8 adapter. My question is that user is authenticated by an external saml IdP (Idp-Initiated request) through the <login-config> <auth-method>KEYCLOAK-SAML</auth-method> with all necessary configuration so I do NOT need to authenticate that user again through the tomcat realm. But the <security-constraint> defined in the web.xml of tomcat needs match the user's role to the role defined by the <auth-constraint>. Normally, the login-config will send user to the saml IdP to authenticate which will return a saml assertion that will include either an username or federation Id if the saml Idp authentication is successful. Then this username or federation Id is matched with the role defined in the <auth-constraint> by the tomcat realm. My question is that the user is already authenticated by the saml IdP so no need to match the username or federation Id to the role defined in the <auth-constraint> again in Tomcat realm. Could I do it without define a realm in tomcat? I think this is a quite common question that might already have an answer. :)
Thanks,
Jay
9 years
Keycloak not authorising access to app behind Keycloak security proxy
by Guy Bowdler
Hi all,
I have an app that isn't keycloak aware and have put the keycloak
security proxy in front of it however even with the most basic settings
I cannot succesfully authenticate to the page - it returns a 403 access
denies error and the keycloak proxy outputs this:
org.keycloak.adapters.OAuthRequestAuthenticator resolveCode
ERROR: failed to turn code into token
java.net.ConnectException: Connection refused (Connection refused)
Must admit I'm stumped, I thought with this config, any user with an
account that successfully logs in would get the app. I'm not using
roles or anything complicated (because I don't understand it yet) and
have been round the houses without success so any advice would be
greatly appreciated!
thanks,
Guy
----------------------------------------------
Here's some info about the environment:
----------------------------------------------
Both keycloak and the application are reverse proxied via NGINX, but
this works fine when I change the proxy config from "authenticate":true
to "permit": true.
DMZ:
2 X NGINX SERVERS (not clustered) one proxying keycloak and the other
proxyying the application <-- Proper headers set
----------------------------------------------
TRUST:
KEYCLOAK SERVER - Wildfly configured with
_<http-listener name="default" socket-binding="http"
redirect-socket="PROXY-HTTPS" PROXY-ADDRESS-FORWARDING="TRUE"/> _and
_<socket-binding name="proxy-https" port="443"/> _
APPLICATION SERVER - Keycloak Security Proxy
1 {
2 "target-url": "http://1.2.3.4:80",
3 "bind-address": "5.6.7.8",
4 "http-port": "80",
5 "https-port": "443",
6 "keystore": "/opt/keycloak-proxy/KeyStore.jks",
7 "keystore-password": "password",
8 "key-password": "password",
9 "applications": [
10 {
11 "base-path": "/",
12 "error-page": "/error/denied.html",
13 "adapter-config": {
14 "realm": "realmname",
15 "resource": "clientname",
16 "realm-public-key": "publickey",
17 "auth-server-url":
"https://keycloak.tiberius.local/auth",
18 "ssl-required": "external",
19 "credentials": {
20 "secret": "secret"
21 }
22 }
23 ,
24 "constraints": [
25 {
26 "pattern": "/*",
27 "authenticate": "true"
28 }
29 ]
30
31 }
9 years
Using a role to allow access to a resource
by Guus der Kinderen
Hi,
While trying to authenticate a user to obtain a resource, I'm running into
an issue. It's likely caused by my misunderstanding of how things are
supposed to work, rather than some kind of bug. I'd love to be corrected.
Using Keycloak 1.9.2, I've created a realm with two clients. One client is
using the Javascript adapter[1] to create a very simply UI, that lets the
user authenticate. The resulting access token is used to make a request to
a REST-like service, which employs the Java Servlet Filter Adapter[2].
We're planning to have multiple resource services like this, each exposing
data for which different levels of authorization might be required.
I'd like our REST-like service to provide data only when the user that
requests the data has an access token that is issued to a front-end that is
allowed to access this data. To achieve this, I tried employing the use of
a role. I think this is where I'm messing up somehow.
What I did:
In the realm, I've a added a "realm role" ( "scope param required" /
"composite roles" both disabled)
In the client configuration that's used by the Javascript UI (which
generates the access token), I've made these changes to the "scope" tab:
- Disabled "Full Scope Allowed"
- Moved the role that I added earlier from "available roles" to
"assigned roles"
Finally, I've modified the implementation of the REST-like service to check
for the new role, by doing something like this simplified code in a servlet
(that's covered by the OIDC Filter):
KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
request.getAttribute( KeycloakSecurityContext.class.getName() );
if ( !securityContext.getToken().getRealmAccess().isUserInRole(
"the-role-that-I-added" ) )
{
response.setStatus( HttpServletResponse.SC_FORBIDDEN );
return;
}
This throws a NullPointerException, as getRealmAccess() returns null.
While debugging the code, it's appears that the access token itself is
received and valid - it's the scope / role check that does not appear to
come through.
I finally used the service at https://jwt.io/ to inspect the content of the
access token that's being generated. I expected the 'the-role-that-I-added"
value to be in there somewhere, but that's not the case.
That's where I thought it'd be a good idea to get some advice, and here we
are. I'd love some feedback.
Regards,
Guus
[1]:
https://keycloak.gitbooks.io/securing-client-applications-guide/content/t...
[2]:
https://keycloak.gitbooks.io/securing-client-applications-guide/content/t...
9 years
keycloak consuming saml
by java_os
Group
Portal where users authenticted in adfs and need to add a link to my
webapp protected by keycloak. Users click on link should trigger a saml
post into keycloak , consume the assertion and let user in.
Given this scenario how could i configure keycloak to receive the
assertion and give my webapp an oidc token. Is this doable? Was looking at
identity brokering, but this triggers request from keycloak to idp. I
think my case is idp initiated saml post . is it possible to use id
brokering in this case, or how does anyone solve this scenario?
Thanks
9 years
