Consulting
by Lars Noldan
Do any of you do Keycloak / RedHat SSO Installation consulting, or know of
any companies that do?
7 years, 12 months
Brute force detector extension
by Eriksson Fabian
Hi all!
We would like to have ability to configure the brute force detector so it can disable a user account after X failed attempts completely and not only lock him/her out for a period of time (setting the lockout-time to a few years is not enough). In the end we would like the admins of KeyCloak to be able to set a timed lockout-period or set a permanent one for different realms. I guess this would also require the detector to reset the failed-login-attempts count on a successful login.
Does this sound interesting and could this then be something that we could contribute with to KeyCloak?
Or is there a way to substitute the already existing brute force detector?
Thanks in advance!
Fabian Eriksson
7 years, 12 months
different properties for internal and external tokens
by Waller, Tobias
Hi.
We are currently looking into creating a microservice based application and using Keycloak as identity provider. The application will consist of several services which will communicate in a stateless fashion. Tokens will be passed along the call chain (several hops) and evaluated by each service in order to restrict access (bearer-only services). In some cases calls are queued together with the token. So the processes are processed asynchronously and can take quite some time. But they are guaranteed to be processed within a determinable period of time (e.g. 7 days).
Processes are triggered in three different ways:
1. by internal (batch) processes (via client credentials grant)
2. by external legacy applications (via resource owner password credentials grant)
3. by external users via web interface (via implicit grant)
Tokens issued for use case 1 and 2 are held strictly within our datacenter (internal token). Therefore we see no harm in issuing tokens with a sufficient lifespan (e.g. 7days). Tokens issued for use case 3 on the other hand are passed to the browser of the user (external token). In order to avoid potential security breaches and information leakage we want these tokens to fulfill the following properties:
a. have a shorter lifespan
b. do not contain information not needed by the client. Especially, the token should not contain any roles specific to internal backend-services, which could be used to infer information about application architecture.
Our first idea was to allow the user to trigger long running processes was to validate the external token in the api-gateway and exchange the external for an internal token. That is using the external token as authorization grant as described by section 2.1 of RFC7523. While Keycloak supports client authentication via jwt which is also described within the same rfc, this does not seem to be supported right now.
Are there any plans to support the grant_type "urn:ietf:params:oauth:grant-type:jwt-bearer" in the future? How can we implement different properties for internal and external tokens without losing the identity of the user initiating a process or using distributed or sticky sessions with means currently available.
Thank you
Tobias
________________________________
Firma: Capgemini Deutschland GmbH
Aufsichtsratsvorsitzender: Antonio Schnieder • Geschäftsführer: Dr. Michael Schulte (Sprecher) • Jost Förster • Dr. Peter Lempp • Dr. Volkmar Varnhagen
Amtsgericht Berlin-Charlottenburg, HRB 98814
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
7 years, 12 months
Session timeout based on AuthN level of assurance
by Santosh Haranath
Does Script Authenticator in Authentication flow provide a way to
manage session timeout as per level of assurance. Example 2 FA is
valid for 20 mins but local LDAP authn is valid for 60 mins.
How can we implement this requirement with keycloak?
Thanks
7 years, 12 months
Re: [keycloak-user] keycloak.js - page reloads itself when logged in
by Blazej Checinski
Hi Guys,
Sorry to bring it back again, but I've met the same issue.
Tried the angular2-product example and I get an endless reload loop under
Firefox (each after 5 seconds).
This doesn't happen under Chromium.
My setting is a keycloak server in it's own domain. The adapter js is taken
from the server.
The Web origins is just *.
Any ideas?
Best regards,
Blazej Checinski
7 years, 12 months
Offline Tokens Become Useless When SSO Session Max is Reached
by Scott Finlay
Hi,
We have an application which creates users in Keycloak using offline tokens. But we're having an issue where Keycloak returns a 401 (unauthorized) when we would try to make requests to it using an access token generated using our offline token. After some investigation we found that there exists a setting in Keycloak called "SSO Session Max" which seems to be an expiration time of the session itself, and after that amount of time, even if the access or refresh tokens are still valid, the session is killed. We found that the amount of time between when we last deployed and the first occurrence of the unauthorized error was 10 hours (the same as the SSO Session Max), and we tested locally with a short max time and were able to reproduce the problem.
Then we found that when we use the offline token, our code thinks that the refresh token expiration time is 0 (which is to be expected since it's an offline token), and when the session lifetime is reached, it continues to use its "unlimited" refresh token to try to generate new access tokens, and it seems that Keycloak still issues new access tokens using that refresh token even though the session doesn't exist, and these tokens don't work. Since Keycloak continues to issue tokens and since it doesn't tell us anything about the session max time, the code has no idea that the tokens are actually not valid.
We can see this happening in the Keycloak admin panel as well; when SSO Sesson Max is reached the session disappears, but the offline session is still there and the "last refresh" time still updates. Inside the token itself we can see that it's still connected to a client session, but we can see no sessions anymore. After looking into the logs of Keycloak we found this error:
16:39:57,664 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-63) RESTEASY002005: Failed executing POST /admin/realms/Myrealm/users: org.jboss.resteasy.spi.UnauthorizedException: Bearer
at org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:178)
at org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:209)
at sun.reflect.GeneratedMethodAccessor511.invoke(Unknown Source)
Tracing that through the code of Keycloak we found this which seems to indicate that there must be a valid session associated with tokens:
Starting here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
Then to here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
And finally here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
Is this expected behavior? Are we misunderstanding something or in some way misusing offline tokens?
Regards,
Scott
7 years, 12 months
Setting User Group through Java API Not Working
by Juan Cortez
Hello,
I am trying to create a user through the Java API, but setting the group in my code below is not working. When I go the Keycloak Admin Console after running this code, I can see that the user was successfully created with the rest of the attributes set, but the group is not set. Am I missing a step in my code? The group in my code below already exists before this code is ran.
Keycloak keycloak = Keycloak.getInstance(“http://localhost:8080/auth”, “myrealm”, “myadmin”, “myadminpass”, "admin-cli");
UserRepresentation user = new UserRepresentation();
user.setUsername(“mytestuser”);
user.setFirstName("Test");
user.setLastName("User");
user.setEnabled(true);
user.setGroups(Arrays.asList("mygroup"));
Response result = keycloak.realm(“myrealm”).users().create(user);
7 years, 12 months
active directory | end user password change
by lists
Hi,
Keycloak 2.5.0, added MSAD (samba4) as a writeable federation provider,
verified that the MSAD account controls mapper is added.
When an end-user logs into the keycloak account client
(/auth/realms/ourrealm/account) he/she has the option to change his/her
password.
However, keycloak says:
> Could not modify attribute for DN [CN=ted t. test,CN=Users,DC=samba,DC=company,DC=com]
Note: I used "ABC-def123_*%#" as a password, so I guess MSAD password
policies are not the problem here.
Additionally, I was under the impression that I should be able to logon
when in MSAD the "user is required to change password on next login",
and keycloak would require me to change it. However, in that case I'm
just getting an "Invalid username or password".
I asked about these things before, but was told to test the new 2.5.0,
because the problem could have been solved already. However, I'm trying
with 2.5.0, and the behaviour is still there.
Is this functionality working for others using MSAD here? (perhaps
others with samba4 AD?)
Best regards,
MJ
7 years, 12 months
Service Account enable by default for clients, how?
by Sven Thoms
Is it possible via a setting to automatically enable clients registered
dynamically via the well-known registration endpoint and registration
access token? My current approach is to iterate over all clients post -
creation and set serviceaccountsEnabled to true. I need a more prompt and
real-time way
7 years, 12 months