default permissions
by Corentin Dupont
Another question: how to apply default authorizations?
I want to protect my API with authorization in Keycloak. However some
resources should be open to the public, accessible without any bearer token.
My idea was:
- create an "unregistered_user" composite role, containing some basic roles
- create a "guest" user, with the unregistered_user role
- on the API server, if there is no token in the request I will get the
roles of the guest user and user them. If there is a token, I'll use that
user permissions.
What do you think of that process?
Thanks
7 years, 11 months
Authorization transfer
by Corentin Dupont
Hi guys,
is it possible for an application user to grant some authorizations to
another user?
For example in the photoz example, how can I give access to my albums to
another user?
What would be the mechanism?
Thanks a lot
Corentin
7 years, 11 months
SAML Logout url
by Min Han Lee
Hello,
can anyone shed some light on how to configure SAML single log out, please,
I postfixed the POST binding by adding ?GLO=true but it didn't work.
Kind Regards
7 years, 11 months
Keycloak OpenID Endpoint Configuration
by Lilith Saer
Hi there. I am looking to change the default URL that an unauthenticated
user is directed to (by default, the KC login page) after attempting to
access a resource that require authentication.
How can I do this?
Thank you!
7 years, 11 months
Java EE server compatibility and JSR-375
by Robert .
Is it possible to implement JSR-375 using Keycloak?
Will this allow you to use Keycloak on any Java EE server without the
Spring adapter and any of the server specific keycloak adapters?
Are there any plans to do something with Keycloak and JSR-375?
The Keycloak documentation gives a warning about the Java Servlet Filter
Adapter. It states that:
"Backchannel logout works a bit differently than the standard adapters.
Instead of invalidating the HTTP session it marks the session id as logged
out."
What are the implications of this? Will something not work properly? Will
the web application still think the user is logged in?
Or is the http session not cleaned up from memory?
7 years, 11 months
logout not working with IDPs
by Nijo Johny
Hello,
My use case - Enables users SSO with multiple IDPs such as okta, one login, adfs etc.
I have single sign on working with all IDPs, no problems. But logout is now working.
Here is my setup.
Our front end (Single Page) application is configured with OICD client to keycloak. Keycloak acts as broker to all external IDPs using SAML. Okta, ADFS and One login are configured as Identity provides under the realm.
To enable logout on Okta side there an option "Allow application to initiate Single Logout" But for this, I need to provide 3 parameteres
1. Single Logout url (The location of where the logout response will be sent)
2. SP Issuer (The issuer of the service provider)
3. Signature Certificate. (Determines the public key certificate used to verify the digital signature).
I need help with 2 and 3. Keycloak Documentation says Realm Keys are used to sign, but
how to export this from keycloak to import to Okta? Okta only allows to import it.
What should I provide for SP Issuer?
Note: Back channel logout is not enabled.
Regards,
NJ
7 years, 11 months
Error in base64 decoding saml message
by Alex Zeleznikov
Hello, we are using keycloak as a local IDP, currently the keycloak server if being served to SPs via simplesamlphp, the connection to the simplesaml server works, a user can login and logout without issues, however, when a user tries to authneicate via an SP, the keycloak server login page shows "invalid request".
Looking at the logs I see:
`2017-11-19 08:13:31,218 ERROR [org.keycloak.saml.common] (default task-2) Error in base64 decoding saml message: java.lang.RuntimeException: PL00064: Parser: Unknown Start Element: Scoping::location=org.codehaus.stax2.XMLStreamLocation2$1@5917b7e5`
Here is the saml data when authenticate only via simplesaml (this works):
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_c1f8cff7fd9f03bac28dc34402ae2f128a59ac45f5"
Version="2.0"
IssueInstant="2017-11-16T07:28:00Z"
Destination="https://iuccidp.iucc.ac.il/auth/realms/IUCCIDP/protocol/saml"
AssertionConsumerServiceURL="https://iif.iucc.ac.il/idp/module.php/saml/sp/saml2-acs.php/default-sp"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
<saml:Issuer>https://iif.iucc.ac.il/idp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_c1f8cff7fd9f03bac28dc34402ae2f128a59ac45f5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>lQF9e0r3X8T4QbyUU9r0pjaWyPk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>MIdx3PVLBZqUYkkg9GGUQRlpdOo8p1ajmGoUYm29JcYkPE7FYiVfgEpSj6GQ97MStUOiVJHEggFp201a40ucORqG2YG9VD7rhH0Ac7FGkO0AcqfPaVzDk+jXxiEtQZKAdTWj8UDVUtHjSg52ZKwmXyPru84gOevPgr+zs6XU7r0fWCQniwg6Dqc4E1dB5QThpj04iaMMeIHLf0dyQWPALQUtW4URMWhwLog6swGrTig/4vPh/hI7jiXB45okGjcvBJZvRLXPsS7+M6Jeu+XLK9/wCUGc05vxpK7Yn9AHnkZDer5P1b5ZaOoo0yLMe/x5tLlfWYmOO0oec4dE/5C6mw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFKzCCBBOgAwIBAgIQBVCwaVElAxhYhZHwR0xGhzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzAeFw0xNzEwMzEwMDAwMDBaFw0yMDExMDQxMjAwMDBaMHQxCzAJBgNVBAYTAklMMREwDwYDVQQHEwhUZWwgQXZpdjEsMCoGA1UEChMjSW50ZXIgVW5pdmVyc2l0eSBDb21wdXRhdGlvbiBDZW50ZXIxCzAJBgNVBAsTAklUMRcwFQYDVQQDEw5paWYuaXVjYy5hYy5pbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCuGsVeVyl6ognK6FDnZZk0VLuA8vF0eQrOZmIyHMXV0O9tFdy5lap6cB4VvOrzUjU2vfX3baWjfy1H/9WWzb3dH2++2vBsTJ38Z5l1ot3FkjBUix9Tm7gm8IZfIRu1UMMqZ945a2I5QJWqEiXEQTCIqSxB9I2Gs9hmHmZxb+BIA3jdWOfjKCNn/gToP7WZ2ks2BfhM3NhwkMVWwE8Lnds/m8MKRoKGMDWdsuhN9nSy0Qq1A7hPhnTClFEl7Nw8eUx1pbgk8DZMJIxVq0X4h1ogeno1AJhCSpaClsVUCiGQpC9DFsB1mctnVj+gR+LOaPQPuWpXWU00u8H3GcKp59MCAwEAAaOCAccwggHDMB8GA1UdIwQYMBaAFGf9iCAUJ5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBRzclwqDCt2YJuQzNL7Q6xQSMFYvjAZBgNVHREEEjAQgg5paWYuaXVjYy5hYy5pbDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjBuBggrBgEFBQcBAQRiMGAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA4BggrBgEFBQcwAoYsaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPT+syBAyrz97u7zvxk2JUjlvD5IdpXNuEwuO3hxmj8RAJ1HNKcelNi53UOGmc+bfug3BrwN4tm8e70lWbePKhLZ/wmZ0GtmC3hrQK9g6NalncY3Qq5P7mvFohWInUaXnVM0AhDNj+IzbBHT+kKiKySeDUBhE7me7Qf/g/wcICV7ukJEKwkkIs/eQgeUn20qLHSrD9ADMuMR1ezyTFDFNKGiHEN7QvlK2nXHHsYjnjs/GucT1zMYH9wRI3/HBOTvBRWNTYcUB9eHJvWC0Gscbo9itMwR6/xDaKLM3afHos4lAvlXfvLKMoW4/miNfqn1MOrmts5WJbfIlZ+4KxsMB7Q==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</samlp:AuthnRequest>
And here is the SAML data when authenticating vis an SP (this doesn't work):
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_c327a0622c69920a4bdefa8a2fd98847b67cf18473"
Version="2.0"
IssueInstant="2017-11-16T07:09:05Z"
Destination="https://iuccidp.iucc.ac.il/auth/realms/IUCCIDP/protocol/saml"
AssertionConsumerServiceURL="https://iif.iucc.ac.il/idp/module.php/saml/sp/saml2-acs.php/default-sp"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
<saml:Issuer>https://iif.iucc.ac.il/idp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_c327a0622c69920a4bdefa8a2fd98847b67cf18473">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>lss9SZraPBlGe6oR6EbuUe9bbrE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>YFtlgSogdf4itNcckDhylaQNMx+nLi1MCndwvFsx9wBZFb4RTEZ05uYdK9lsIQBFIxjFnYmIil4h6CNLVoLzvdDKFZUdnY3Fpmz3p/Oo+0+ho/8gSp7bm1NlXJarMwHc36tFSKmFZb5fsGElX/1mH6NfsD2S46EmZiK7b7jYkbQVq4UaWVJ5ihvvil8FXTas5/JEUJai3X94/viglVhc5uptoBy/spRjdAnlUFSJKqmmgHWH/Dd/2ElOJiyi+z04O5lVvC5pjTWVHRxHwLlwKF/QjC3Z16cFKR4Y0Bm7uDxvQiGt5eH5Qvm96GYpLk5mV4cTlGELQbKRbECatnuS1Q==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFKzCCBBOgAwIBAgIQBVCwaVElAxhYhZHwR0xGhzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzAeFw0xNzEwMzEwMDAwMDBaFw0yMDExMDQxMjAwMDBaMHQxCzAJBgNVBAYTAklMMREwDwYDVQQHEwhUZWwgQXZpdjEsMCoGA1UEChMjSW50ZXIgVW5pdmVyc2l0eSBDb21wdXRhdGlvbiBDZW50ZXIxCzAJBgNVBAsTAklUMRcwFQYDVQQDEw5paWYuaXVjYy5hYy5pbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCuGsVeVyl6ognK6FDnZZk0VLuA8vF0eQrOZmIyHMXV0O9tFdy5lap6cB4VvOrzUjU2vfX3baWjfy1H/9WWzb3dH2++2vBsTJ38Z5l1ot3FkjBUix9Tm7gm8IZfIRu1UMMqZ945a2I5QJWqEiXEQTCIqSxB9I2Gs9hmHmZxb+BIA3jdWOfjKCNn/gToP7WZ2ks2BfhM3NhwkMVWwE8Lnds/m8MKRoKGMDWdsuhN9nSy0Qq1A7hPhnTClFEl7Nw8eUx1pbgk8DZMJIxVq0X4h1ogeno1AJhCSpaClsVUCiGQpC9DFsB1mctnVj+gR+LOaPQPuWpXWU00u8H3GcKp59MCAwEAAaOCAccwggHDMB8GA1UdIwQYMBaAFGf9iCAUJ5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBRzclwqDCt2YJuQzNL7Q6xQSMFYvjAZBgNVHREEEjAQgg5paWYuaXVjYy5hYy5pbDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjBuBggrBgEFBQcBAQRiMGAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA4BggrBgEFBQcwAoYsaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPT+syBAyrz97u7zvxk2JUjlvD5IdpXNuEwuO3hxmj8RAJ1HNKcelNi53UOGmc+bfug3BrwN4tm8e70lWbePKhLZ/wmZ0GtmC3hrQK9g6NalncY3Qq5P7mvFohWInUaXnVM0AhDNj+IzbBHT+kKiKySeDUBhE7me7Qf/g/wcICV7ukJEKwkkIs/eQgeUn20qLHSrD9ADMuMR1ezyTFDFNKGiHEN7QvlK2nXHHsYjnjs/GucT1zMYH9wRI3/HBOTvBRWNTYcUB9eHJvWC0Gscbo9itMwR6/xDaKLM3afHos4lAvlXfvLKMoW4/miNfqn1MOrmts5WJbfIlZ+4KxsMB7Q==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Scoping>
<samlp:RequesterID>https://terena.org/sp</samlp:RequesterID>
</samlp:Scoping>
</samlp:AuthnRequest>
7 years, 11 months
Detecting login attempt from a new "location"
by The Fredo
Hi all,
My requirement is to be able to detect a user's attempt to login from a new "location"
Which "location"-related (IP or user agent) infos does KC store in his database that would make it possible to detect such event ? Where is the history of closed user's sessions (if there is one) ? If not, is it possible to add the user agent somewhere ?
Thanks !
PS : I'm currently using KC 2.5.4 + (KC proxy) but no problem to upgrade if necessary.
7 years, 11 months
Error when using bookmarked login page
by RickT153 .
Hello,
I am trying to secure a single page application with Keycloak. The setup is
the following: There are a few microservices and Keycloak behind an Apache
Reverse Proxy, which has mod_auth_openidc installed.
The authentication works fine. When a user visits my page www.example.com he
will be redirected to www.example.com/auth/realms/myrealm/protocol/openidc-
connect/auth?response_type=code&many_more=parameters. The Keycloak
login-page is presented to the user and when he enters his credentials
correctly he is redirected to my page www.example.com/main and can use the
application.
So far, so good.
Now the problem is, that a user might want to bookmark my site right after
visiting it. That means that he will bookmark the Keycloak login-page. But
there are some parameters (like state and nonce) in the login-page url that
are only valid for the initial login-session. Therefore, visiting the
bookmarked page at a later time will cause an error and the user will not
be able to access my page.
Do you have any tips on how I can fix this problem? Are there common ways
to allow a user to visit a bookmarked login page without breaking the
authentication flow?
Thanks,
Patrick
7 years, 11 months
how to force (kind-of) re-activation when user has logged in from a new location ?
by The Fredo
Hi all,
I'd like :
- to detect that a user has just logged in from a new "location" (e.g. userAgent, IP, etc..).
- If such event happens, I'd like to make him perform a new account activation, like he did when he registered, i.e. send an activation email.
I read in the doc that Keycloak is open and offers the possibility to add custom behavior through plugins.But I don't know where to start exactly ie.
- how/where to intercept the login flow to add by own code (i.e. just after the successful authentication)
- how to trigger this kind of new activation (probably by adding a required action, but how exactly?)
Any leads would be appreciated since I'm discovering Keycloak.
I'm currently using KC 2.5.4 + (KC proxy) but no problem to upgrade if necessary.
Thanks !
7 years, 11 months
