Proposal: More Secure PassowrdHashProviders
by Adam Kaplan
My company has a client whose security prerequisites require us to store
passwords using SHA-2 or better for the hash (SHA-512 ideal). We're looking
to migrate our user management functions to Keycloak, and I noticed that
hashing with SHA-1 is only provider out of the box.
I propose adding the following providers (and will be happy to
contribute!), using the hash functions available in the Java 8 runtime
environment:
1. PBKDF2WithHmacSHA224
2. PBKDF2WithHmacSHA256
3. PBKDF2WithHmacSHA384
4. PBKDF2WithHmacSHA512
I also propose marking the current Pbkdf2PasswordHashProvider as
deprecated, now that a real SHA-1 hash collision has been published by
Google Security.
--
*Adam Kaplan*
Senior Engineer
findyr <http://findyr.com/>
m 914.924.5186 <//914.924.5186> | e akaplan(a)findyr.com
WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
8 years
JAX-WS 2.2 on Keycloak 2.5.1
by David Lustig
Hello,
There are a number of WCF/SOAP services hosted on separate servers that I need to contact from with within a custom Authenticator in Keycloak 2.5.1. For this task, I have generated SOAP service clients using JAX-WS 2.2 and deployed them with my custom authenticator. Whenever a user hits the authenticator during his login process, though, he gets the following error:
org.jboss.resteasy.spi.UnhandledException: java.lang.NoClassDefFoundError: javax/xml/ws/Service
The authenticator's module.xml file has the following dependencies listed:
<module name="org.keycloak.keycloak-core"/>
<module name="org.keycloak.keycloak-model-api"/>
<module name="org.keycloak.keycloak-login-api"/>
<module name="org.keycloak.keycloak-services"/>
<module name="org.jboss.resteasy.resteasy-jaxrs"/>
<module name="javax.xml.ws.api"/>
<module name="javax.ws.rs.api"/>
I would have thought the javax.xml.ws.api dependency would have addressed the issue. Do you know how I can go about loading JAX-WS 2.2 web service clients in Keycloak 2.5.1, or if I should be using a different framework for SOAP calls (I've already tried Axis2, which had its own issues)?
Thank you for your help,
David Lustig
8 years
knowing the url triggered the authentication process
by Iwetta Sowa
Hi,
According to the url triggered the authentication process I need hide or
show some elements on my login page.
I found some variables like ${url.loginUrl}, ${client.baseUrl},
${url.loginResetCredentialsUrl} ${url.loginAction} but
none of them display the url triggered authentication process but only
current url.
Are there some way to check the url tirggers the authentication process ?
Thank you for your help,
Best regards,
Iwetta
8 years
Performance Testing keycloak
by John D. Ament
Hi,
I wanted to put together some basic perf tests of keycloak. I'm logging in
as an admin and doing some basic create user operations.
I wrote a simple gatling script to do this work. One issue I'm seeing is
that gatling is grabbing the bearer header in the request. I was
wondering, do I need to send the bearer or can keycloak rely on the cookie
alone?
8 years
Re: [keycloak-user] Configuring keycloak with JSON instead of UI
by Sarp Kaya
I have been experimenting with import/exports more.
Essentially my end goal is, I want to get the JSON of the changes that I have done on UI so that I can import it to other Keycloak instances in other environments. For instance I can do my changes on test environment and then just import them to production environment, without manually doing these changes through UI.
In terms of exporting it seems like only command line option exists. In terms of importing, there is an import via UI and import via command line.
Command line import doesn’t really work if the realm already exists. You can opt in to overwrite existing realm; but that actually removes the entire realm with the users; where the old users are not retrieved back.
Importing via UI, seems like this can be done with two options, first one is via create realm; which works perfectly fine.
However, if I have an existing realm, and I want to overwrite some changes, then it only works for clients, IDPs, realm roles and client roles. For instance, if I were to enable brute force detection, there is no way to import this setting to an existing realm.
So this is basically what I want to accomplish. I want to be able to copy changed UI configurations to another keycloak instance, so that I would avoid manual UI configurations.
Next thing I will be trying is to see if this endpoint for updating configuration works:
http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_update_the_top_...
Otherwise, I do not really see any other way to get that changed.
Thanks,
Sarp
On 2/15/2017 1:06 AM, Sarp Kaya wrote:
> Hello,
>
> I?m aware of keycloak import/export functionality but when I export keycloak configuration it exports with bunch of ids. I?m guessing this is useful for back-ups or duplicating the entire environment.
> My problem is, say if you have different environments with slight configuration differences (because environments probably have different keys, URLs etc.) but would like to keep majority of the configuration the same; then this export/import becomes unusable:
>
>
> 1) Everything has an id, so therefore just exporting and then importing singular item will not work due to id mismatch.
If I recall, if you remove an id, a new one will be created. However,
sometimes an id is used to refer to other things in the data structure
so you have to be careful (Again, going from memory here. Test early
and often).
>
> 2) During the import, it?s not possible to select what can be overwritten and what can be skipped. Importing condition applies for all.
>
> My question is, what is the best practice to configure keycloak in multiple environments?
This can get incredibly complex due to dependencies between entities.
But if you keep it simple enough the current import facilities can suffice.
The best answer I can give is that it just depends on what you are
trying to do.
8 years
Directs Grants API & OTP
by Stefan Schlesinger
Hello,
I’m using the Direct Grants API as authentication backend for our Radius server.
Currently I’m unable to determine whether an user already has an OTP token configured or not,
and thus our Radius server always prompts the user with an Access-Challenge dialog.
Users who haven’t configured an OTP token yet won’t be able to login, or in case I can work
around this issue, will at least be presented with a question for an OTP token, which they
are not aware of.
Is there a way how I could improve this? Eg. an API call, which authenticated OpenIDC
clients can trigger?
Best,
Stefan.
8 years
Custom social identity provider in Keycloak 2.5.1
by Haseb Ansari
Hello Keycloak users,
As everyone know keycloak provider with many social IDP providers
login method such as facebook, google, twiiter, etc. But in my case, I have
to integrate a custom social IDP in keycloak. Can anyone help me as to how
can I start with the implementation of Custom Social IDP in keycloak.
Thanks in advance !!!!
Regards,
Haseb
8 years
