EJB Remote Calls and KeyCloak
by da.dom
Hi There,
i try to use Keycloak to authenticate an EJB Remote Client Call.
Setup:
I have a working Keycloak Setup for my WebClients.
I add to my application server standalone.xml an additional security domain:
<security-domain name="keycloakjaas" cache-type="default">
<authentication>
<login-module
code="org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule"
flag="required">
<module-option name="keycloak-config-file"
value="E:\Software\ApplicationServer\wildfly-10.0.0.Final\standalone\configuration\keycloak-sso1.json"/>
</login-module>
</authentication>
</security-domain>
and configure my ejb sub-system
<subsystem xmlns="urn:jboss:domain:ejb3:4.0">
....
<default-security-domain value="keycloakjaas"/>
</subsystem>
My Test Connection:
prop.put(Context.INITIAL_CONTEXT_FACTORY,
"org.jboss.naming.remote.client.InitialContextFactory");
prop.put(Context.PROVIDER_URL, "http-remoting://localhost:8080");
prop.put("jboss.naming.client.ejb.context", true);
prop.put(Context.SECURITY_PRINCIPAL, "admin-user");
prop.put(Context.SECURITY_CREDENTIALS, "123");
fails with: "Invalid User"
In Keycloak Server i see the failed login:
Errorinvalid_user_credentials
auth_method openid-connect grant_type password client_auth_method
client-secret username admin-user
"Direct Access Grants" is enabeld for that application.
Somebody any idea? Or is my setup totally wrong?
How whould i use KeyCloak for remote EJB calls?
Thanks a lot
Chris
10 years
How to secure REST APIs with KeyCloak
by Moshe Ben-Shoham
Hi,
I’m trying to figure out the best way to secure REST APIs with KeyCloak. The REST APIs are to be invoked by unattended batch processes that are not KeyCloak clients but end-user scripts. I imagine a process in which the user generates a token using some web app and then uses this token in his scripts in order to authenticate when invoking the REST APIs.
So far I have found 2 options, but none of them seems like a very good option:
(1) Use offline tokens – according to the docs, offline token are to be used by KeyCloak clients that need to do things on behalf of the user. In my case, it is the end-user that needs the token and not a client. Should I build a dedicated client that will create the offline tokens and give them to the end-user to use? Is this a misuse for offline tokens?
(2) Use Direct Access Grants – seems like in this option, at least in its simplest form, the user needs to pass username and password to get a token. This means users need to keep their password in their scripts (or scripts configuration) and it is bad practice. In addition, what happens when KeyCloak is configured to be an Identity Broker? In this case KeyCloak does not even know how to handle the user/password.
Any help is appreciated!
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
10 years
Monitoring & Collecting Metrics from Keycloak
by Sarp Kaya
Hi all,
I looked into the user guide but there is no mention of any metrics. For instance how would I be able to collect metrics for the amount of users that are logged in per minute, amount of users that could not log in per minute, amount of incorrect usernames etc. as metrics?
Is it somehow possible to hook any metric collection library to keycloak events, or does keycloak have anything to provide metrics?
Thank you,
Sarp Kaya
10 years
"You took too long to login" when adding the initial admin user
by Riedel, Sven
Hi,
I'm set up keycloak 1.9.4final on AWS as an HA-cluster using JDBC-Ping for
infinispan group management behind an load balancer.
Now, when I create a user with the bin/add-user-keycloak.sh script and
restart keycloak on the respektive instance, I get the message "You took
too long to login. Login process starting from beginning." on my first try
to login with the newly created account. On my second try, I just get "An
error occurred, please login again through your application."
>From what I can see, the account is successfully being created in the
database. The login attempts happen within one minute of restarting the
keycloak service. In the console log I can see the message
"type=LOGIN_ERROR, realmId=master, clientId=null, userId=null,
ipAddress=a.b.c.d, error=expired_code, restart_after_timeout=true" on the
first attempt and "type=LOGIN_ERROR, realmId=master, clientId=null,
userId=null, ipAddress=a.b.c.d, error=invalid_code" on the second attempt.
I'm a bit at a loss as to how to proceed, to get the admin user set up
properly and get the login to work. Any pointers would be appreciated.
Regards,
Sven
--
Sven Riedel
Senior Systemsarchitect
glomex GmbH
Ein Unternehmen der ProSiebenSat.1 Media SE
Medienallee 4
D-85774 Unterföhring
Tel. +49 [89] 9507-8167
sven.riedel(a)glomex.com
Geschäftsführer: Michael Jaschke, Arnd Mückenberger
HRB 224542 AG München
USt.-ID.-Nr. DE 218559421
St.-Nr. 143/141/71293
10 years
custom federation/authentication
by Simon Gordon
Hello
Looking for some guidance please - let's say that we want to authenticate
users against an external authenticator (e.g. RADIUS server, or a custom
REST API) and at the time of login, the user does not necessarily have a
profile/account within keycloak.
My initial scan suggests that we just need to create an Authenticator
Provider - but I'm concerned that since the user account does not
necessarily exist in KC, I can't see how the Authenticator provider will
work. Should I be looking at a userFederation provider instead? Looking at
the server-spi module, I'm not seeing the Interface(s) to implement, so any
pointers gratefuilly received!
Regards,
Simon
10 years
Access Token from Account Theme
by Chris Hairfield
Hello,
We're trying to make a web request from our account.ftl (to upload a
profile photo) and wish to send the access token of the signed in user with
the request to authorize that action.
Does anyone know how to obtain the access token from within the account.ftl
theme? I'm hoping it's stored in a cookie that we have access to from our
theme's javascript.
Thanks,
Chris
10 years
Keycloak & Forced Authentication
by John D. Ament
Hi,
I was wondering if there was any way in Keycloak to force the
authentication of a user?
>From my application, I may need a user to reverify their credentials. They
will likely already have a session with keycloak open, but I need them to
re-enter their credentials. Is there a way to do this? Or even an API
call I can make with the user's credentials to verify them?
Likewise, I need to be able to provide a SAML ForceAuth=true. Is this
possible in Keycloak?
John
10 years
Re: [keycloak-user] How to assign client roles to realm admin
by Haim Vana
I found the problem - I needed to use the client id (from the DB).
Thanks,
Haim.
-----Original Message-----
From: Haim Vana
Sent: Tuesday, May 24, 2016 11:20 AM
To: keycloak-user(a)lists.jboss.org
Subject: Re: Re: [keycloak-user] How to assign client roles to realm admin
Thanks for the prompt answer.
I looked into the CompositeRoleTest below, especially on the addClientLevelScopeMapping method.
However I don't think it's what I am looking for, I would like to create an admin user on the master realm and assign all the available client (another realm) roles for him.
So in the test it is not clear what are the target and source clients in my case.
Going back to my code sample below, can you please advise if this is the correct way to add the client roles and how can I get all the available ones ?
realm.users().get(user.getKeyCloakId()).roles().clientLevel(tenantId + "-realm").add();
Thanks,
Haim.
-----Original Message-----
Message: 1
Date: Mon, 23 May 2016 10:10:55 -0400
From: Stan Silvert <ssilvert(a)redhat.com>
Subject: Re: [keycloak-user] How to assign client roles to realm admin
user programmatically
To: keycloak-user(a)lists.jboss.org
Message-ID: <57430F6F.1030003(a)redhat.com>
Content-Type: text/plain; charset="iso-8859-1"
Assigning roles with the admin client is rather tricky. I just finished migrating a test where I had to assign all kinds of roles. I think you'll probably find what you are looking for:
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar...
On 5/23/2016 9:58 AM, Haim Vana wrote:
>
> Hi,
>
> I am trying to create admin user for a specific realm
> programmatically, I am able to create the user, however I can't assign
> the realm client roles to it.
>
> For example in the UI I would go to the user 'Role Mappings' choose
> the realm client role and move the required roles from the Available
> section to the Assigned.
>
> When I try to it programmatically I am getting 404, my code is below,
> note that I am getting 404 on the last line -
> adminUserClientRole.listAvailable())
>
> createUserAndPsw(keyCloakClient, *"master"*, user); RealmResource
> realm = keyCloakClient.realm(*"master"*); UserResource userResource =
> realm.users().get(user.getKeyCloakId());
> RoleMappingResource roles = userResource.roles(); RoleScopeResource
> adminUserClientRole = roles.clientLevel(tenantId + *"-realm"*);
>
>
> adminUserClientRole.add(adminUserClientRole.listAvailable());
>
> Any advice will be appreciated.
>
> Thanks,
>
> Haim.
>
> The information contained in this message is proprietary to the
> sender, protected from disclosure, and may be privileged. The
> information is intended to be conveyed only to the designated
> recipient(s) of the message. If the reader of this message is not the
> intended recipient, you are hereby notified that any dissemination,
> use, distribution or copying of this communication is strictly
> prohibited and may be unlawful. If you have received this
> communication in error, please notify us immediately by replying to
> the message and deleting it from your computer. Thank you.
>
>
> _______________________________________________
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
10 years
Re: [keycloak-user] How to assign client roles to realm admin
by Haim Vana
Thanks for the prompt answer.
I looked into the CompositeRoleTest below, especially on the addClientLevelScopeMapping method.
However I don't think it's what I am looking for, I would like to create an admin user on the master realm and assign all the available client (another realm) roles for him.
So in the test it is not clear what are the target and source clients in my case.
Going back to my code sample below, can you please advise if this is the correct way to add the client roles and how can I get all the available ones ?
realm.users().get(user.getKeyCloakId()).roles().clientLevel(tenantId + "-realm").add();
Thanks,
Haim.
-----Original Message-----
Message: 1
Date: Mon, 23 May 2016 10:10:55 -0400
From: Stan Silvert <ssilvert(a)redhat.com>
Subject: Re: [keycloak-user] How to assign client roles to realm admin
user programmatically
To: keycloak-user(a)lists.jboss.org
Message-ID: <57430F6F.1030003(a)redhat.com>
Content-Type: text/plain; charset="iso-8859-1"
Assigning roles with the admin client is rather tricky. I just finished migrating a test where I had to assign all kinds of roles. I think you'll probably find what you are looking for:
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar...
On 5/23/2016 9:58 AM, Haim Vana wrote:
>
> Hi,
>
> I am trying to create admin user for a specific realm
> programmatically, I am able to create the user, however I can't assign
> the realm client roles to it.
>
> For example in the UI I would go to the user 'Role Mappings' choose
> the realm client role and move the required roles from the Available
> section to the Assigned.
>
> When I try to it programmatically I am getting 404, my code is below,
> note that I am getting 404 on the last line -
> adminUserClientRole.listAvailable())
>
> createUserAndPsw(keyCloakClient, *"master"*, user); RealmResource
> realm = keyCloakClient.realm(*"master"*); UserResource userResource =
> realm.users().get(user.getKeyCloakId());
> RoleMappingResource roles = userResource.roles(); RoleScopeResource
> adminUserClientRole = roles.clientLevel(tenantId + *"-realm"*);
>
>
> adminUserClientRole.add(adminUserClientRole.listAvailable());
>
> Any advice will be appreciated.
>
> Thanks,
>
> Haim.
>
> The information contained in this message is proprietary to the
> sender, protected from disclosure, and may be privileged. The
> information is intended to be conveyed only to the designated
> recipient(s) of the message. If the reader of this message is not the
> intended recipient, you are hereby notified that any dissemination,
> use, distribution or copying of this communication is strictly
> prohibited and may be unlawful. If you have received this
> communication in error, please notify us immediately by replying to
> the message and deleting it from your computer. Thank you.
>
>
> _______________________________________________
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
10 years
