Security proxy not supporting policy enforcement
by Manfred Duchrow
Hi,
is the keycloak security proxy intentionally not supporting the policy
enforcement (i.e. authorization services)
or is it a bug?
With activated policy-enforcer I'm getting an exception at startup of
security proxy:
Exception in thread "main" java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.keycloak.Launcher.main(Launcher.java:81)
Caused by: java.lang.NoClassDefFoundError:
org/keycloak/authorization/client/Configuration
at
org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:56)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152)
at
org.keycloak.proxy.ProxyServerBuilder$ApplicationBuilder.<init>(ProxyServerBuilder.java:164)
Obviously the library 'keycloak-authz-client-2.4.0.Final.jar' is missing
in bundle keycloak-proxy-2.4.0.Final.zip.
Should I open a Jira bug?
Workaround: Just copy the keycloak-authz-client-2.4.0.Final.jar from
another bundle into lib folder of the security proxy.
Regards,
Manfred
8 years, 11 months
Sessions vs Tokens
by Matt H
I'm not sure how best to describe this but I have seen times when I called a secured endpoint (secured with spring security adapter) but a token was not passed and I was able to gain access. The first time I went to a secured endpoint I had to log into keycloak to authenticate, but then on each request, only a session id was passed and no JWT. Is this the standard behavior? If there is no JWT, where are the claims read from?
Matt
8 years, 11 months
JWT - Signature Verification Failure
by Charles Moulliard
Hi,
Is there a workaround when we use Keycloak 1.9.4 to avoid that the client
who will verify the certificate of the JWT will issue this error
WARNING: JWT decode failure
java.lang.RuntimeException: Signature verification failed
at io.vertx.ext.auth.jwt.impl.JWT.decode(JWT.java:200)
at
io.vertx.ext.auth.jwt.impl.JWTAuthProviderImpl.authenticate(JWTAuthProviderImpl.java:84)
if (!crypto.verify(base64urlDecode(signatureSeg),
signingInput.getBytes(UTF8))) {
throw new RuntimeException("Signature verification failed");
}
Is it because the token is not base64 ?
Regards,
Charles Moulliard
Sr. Pr. Software Engineer @redhat
cmoulliard(a)redhat.com | work: +31 205 65 12 84 | mobile: +32 473 60 40 14
Twitter: @cmoulliard <http://twitter.com/cmoulliard> | blog:
cmoulliard.github.io
committer: apache camel, karaf, servicemix, hawtio, fabric8, drools, jbpm,
deltaspike
8 years, 11 months
updateCredential-method: relevance of output true or false
by Matuszak, Eduard
Hello
Could you please explain the meaning of the boolean result of
boolean updateCredential(RealmModel realm, UserModel user, CredentialInput input);
in package org.keycloak.credential.CredentialInputUpdater (Keycloak 2.4.0 Final)? It's not obvious to me, if there are any differences in Keycloak's behaviour between returning true or false when overriding the method in a customized federation provider, whereas I realized that errorhandling can be triggered by throwing an exception.
Thanks in advance, Eduard Matuszak
8 years, 11 months
chrome on windows
by lists
Hi,
Somehow, when using keycloak SAML auth on our application, chrome on
windows is presenting us a basic http popup logon window.
In that case, the URL looks like:
> https://keycloak.company.com/auth/realms/testrealm/protocol/saml?SAMLRequ....
We have to cancel that popup, to end up in the regular keycloak login page.
The URL then becomes:
> https://keycloak.company.com/auth/realms/testrealm/login-actions/authenti....
Since this only happens on chrome on windows, I thought that this
perhaps was a kerberos-auth going wrong. So i disabled kerberos, but it
keeps happening.
Using other browsers, we end up in the regular second /login-actions/
logon screen straight away.
The chrome popup is also NOT useable: if we provide a valid
username/password, we will NOT become authenticated, but we end up in
the "WE'RE SORRY... Unexpected error when handling authentication
request to identity provider."
Can anyone explain this? (keycloak 2.3.0)
MJ
8 years, 11 months
Red Hat SSO - Issue on OpenShift Dedicated
by Charles Moulliard
Hi,
This project (= Spring Boot App secured with Red Hat SSO & Keycloak
Adapter) which was working last Friday on "
https://console.engint.openshift.com/console" doesn't work anymore
If I issue a curl/httpie request, I receive a token but next when I try to
access the service, OpenShift returns
./scripts/httpie/token_req.sh
>>> Greeting
GET /greeting HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJSUzI1NiJ9...AC7tLlhit79g
Connection: keep-alive
Host: secured-springboot-rest-sso.e8ca.engint.openshiftapps.com
User-Agent: HTTPie/0.9.6
HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
When I issue a curl request within the pod running the SpringBoot app, I
get a response from the Red Hat SSO Server
sh-4.2$ more /etc/hosts
# Kubernetes-managed hosts file.
127.0.0.1 localhost
10.1.7.20 secured-springboot-rest-5-7tcxs
sh-4.2$ curl -k -v http://10.1.7.20:8080/greeting
* About to connect() to 10.1.7.20 port 8080 (#0)
* Trying 10.1.7.20...
* Connected to 10.1.7.20 (10.1.7.20) port 8080 (#0)
> GET /greeting HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 10.1.7.20:8080
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: Apache-Coyote/1.1
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 00:00:00 UTC
< Set-Cookie: JSESSIONID=C6437B316FE0C08F833B0B5F9DEEB231; Path=/; HttpOnly
< Set-Cookie:
OAuth_Token_Request_State=5/64fcf1a6-1b05-4235-8463-3eb024e1a0c5;
Version=1; HttpOnly
< Location:
https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/realms/master/p...
f1a6-1b05-4235-8463-3eb024e1a0c5&login=true
What is the problem ?
Regards,
Charles
8 years, 11 months
ldap server credentials only 10 chars saved?
by lists
Hi,
I just wanted to create my first JIRA bug report, but wanted to check
that others are also seeing the same problem.
Fresh 2.4.0 install, I added an AD ldap server federation backend with a
20 character password.
The "test connection" / "test authentication" buttons both confirm that
the settings are correct. It shows the 20 dots for the password.
After I click 'save', only 10 password dots remain, and the "test
authentication" button now fails.
Should I file a bug report about this? This DOES seem to work in 2.3.0.
MJ
8 years, 11 months
How to work with SpringSecurity adapter behind HTTP proxy?
by Michael Furman
HI Sebastien,
(I have changed the subject since the root cause of the problem is different).
I have debugged the code and I have found the following.
Please look at getRedirectUri of org.keycloak.adapters.OAuthRequestAuthenticator:
It just takes the request URI and creates the redirect URI string:
protected String getRedirectUri(String state) {
String url = this.getRequestUrl();
Please note that when you work behind getRequestUrl() will always be localhost and therefore I think SpringSecurity adapter can not work behind HTTP proxy.
How can I change the code in the minimal way it will support the HTTP proxy?
Best regards,
Michael
________________________________
From: Michael Furman <michael_furman(a)hotmail.com>
Sent: Tuesday, December 13, 2016 2:25 PM
To: Sebastien Blanc
Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS.
Thanks Sebastien,
I see the link but supposed it is related only to Keycloak IDP.
Is it also relevant to SpringSecurity adapter?
Will SpringSecurity adapter handle X-Forwarded-Proto or other HTTP headers?
Best regards,
Michael
________________________________
From: Sebastien Blanc <sblanc(a)redhat.com>
Sent: Tuesday, December 13, 2016 2:19 PM
To: Michael Furman
Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS.
TBH I have not that much experience with configuring a proxy but :
- Have you looked at https://keycloak.gitbooks.io/server-installation-and-configuration/conten... (it also cover proxy configuration)
- Search the user list, I see often question around this maybe you can find your answer there)
On Tue, Dec 13, 2016 at 1:13 PM, Michael Furman <michael_furman(a)hotmail.com<mailto:michael_furman@hotmail.com>> wrote:
HI Sebastien,
The problem is not related to HTTPS but to the reverse proxy
When I access to SpringSecurity adapter RP over HTTP but behind the Apache HTTPD reverse proxy (the client configuration in IDP configured also HTTP) the redirect_uri is replaced to localhost:
http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth...
Then, I get the error
WE'RE SORRY ...
Invalid parameter: redirect_uri
What should I configure to allow to work with proxy?
Any help will be appreciated.
Best regards,
Michael
________________________________
From: keycloak-user-bounces(a)lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> <keycloak-user-bounces(a)lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Michael Furman <michael_furman(a)hotmail.com<mailto:michael_furman@hotmail.com>>
Sent: Tuesday, December 13, 2016 1:17 PM
To: Sebastien Blanc
Cc: keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS.
Hi,
Important clarification:
The HTTPS handshake is by Apache httpd server that is also reverse proxy for Tomcat.
Tomcat is located on the same ip.
SpringSecurity RP is deployed in Tomcat.
Best regards
On Dec 13, 2016 12:44 PM, Michael Furman <michael_furman(a)hotmail.com<mailto:michael_furman@hotmail.com>> wrote:
Example 2:
SpringSecurity adapter RP is over HTTPS (the client configuration in IDP configured also HTTPS)
IDP is over HTTP
Example 3:
SpringSecurity adapter RP is over HTTP (the client configuration in IDP configured also HTTP)
IDP is over HTTP
BTW,
Example 1:
SpringSecurity adapter RP is over HTTPS (the client configuration in IDP configured also HTTPS)
IDP is over HTTPS
________________________________
From: Sebastien Blanc <sblanc(a)redhat.com<mailto:sblanc@redhat.com>>
Sent: Tuesday, December 13, 2016 12:23 PM
To: Michael Furman
Cc: keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS.
What is the difference between your example 2 and example 3 ?
On Tue, Dec 13, 2016 at 11:12 AM, Michael Furman <michael_furman(a)hotmail.com<mailto:michael_furman@hotmail.com><mailto:michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>>> wrote:
Hi all,
I try to access from SpringSecurity adapter over HTTPS without success.
When I try to access to IDP over HTTPS the redirect_uri is replaced to localhost:
https://192.168.110.2:8443/auth/realms/master/protocol/openid-connect/aut...
Then I get this error in UI:
WE'RE SORRY ...
Invalid parameter: redirect_uri
Similar, when I try to access to IDP over HTTP, the redirect_uri is replaced to localhost:
http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth...
Same error in UI:
WE'RE SORRY ...
Invalid parameter: redirect_uri
Only if I access from SpringSecurity adapter over HTTP the redirect_uri has correct value and it works:
http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth...
Finally I can see the login page.
What wrong in my configurations?
Any help will be appreciated.
Best regards,
Michael
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org><mailto:keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org<http://lists.jboss.org>
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org<http://lists.jboss.org>
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...
8 years, 11 months
Keycloak authorization protected resource with user attributes
by uğur kolip
Hi,
I am using keycloak 2.4.0 Final. I try to copy photoz example to spring
boot app (with spring boot adapter) and add same features.
Features that i try to add :
Make a page which admin user can create users ,create protected resources ,
and adding access ability to users for these protected resource.(to add
these i use keycloak-admin-client)
For example , with admin page i create protected resource which uri is
campaign/*capm1*/* and campaign/*camp2*/* . spring end points are
campaign/{campaignName}/create ,campaign/{campaignName}/update
,campaign/{campaignName}/delete
For authorization , i add user attribute to user like (key : camp1 value :
create,update) or (key:camp2 , value: read) and i try to using these
attributes in policy at the protected resource.
my questions:
1.is it right way using attributes to authroization ? can these attributes
change at the client side to hack ?
2.My other idea is creating role for each protected resource like
(camp1_create,camp1_update) and add to users. is these way suitable ? if i
use these way , there are too many roles)
3.when i try to use attributes , add maping to rest api
(photoz-restful-api) but when i add mapping to client
app(photoz-html5-client) , it works. i don't understand , should we add
mapping to client which i call ? what should i do if i call these
api(photoz-restful-api) some other app ?
4.In the js policy , can i use groups and how ?
5. In the js policy , can i get data from my db or endpoint ? (like these :
if(someMethod(identity.getId()) == true) $evaluation.grant(); Because i
need extra data to authz .
6. can we debug js policy ? i want to know idenity , content attributes .
console.log not work :)
7. can we use request body to authorization , in js policy or somewhere ?
My main misson is creating protected resource and find a way to authz these
endpoints. What should i add to user ? and how use them ?
Thank you for your helping and sorry my english :)
8 years, 11 months
