August 2017 - keycloak-user - Jboss List Archives

by Simon Gordon

Hello all I am looking at how to support SAML profiles beyond the usual Web SSO profiles that are typically supported within Identity Broker products such as KeyCloak. The biggest two in my mind are eIDAS which is an EU regulation and technical standards for cross-border Identity, plus the UK Government's GOV.UK Verify service The SAML specifications and profiles are available at: https://joinup.ec.europa.eu/sites/default/files/eidas_message_format_v1.0... https://www.gov.uk/government/uploads/system/uploads/attachment_data/file... (short SAML snippet at: https://alphagov.github.io/rp-onboarding-tech-docs/pages/saml/samlIntegra...) I guess the short version is that I suspect I need to work on extending the SAML Profiles that KeyCloak supports, but there is not yet an 'adapter' to start with? Any pointers, or work that is already looking at how to plugin further SAML Profiles into the product gratefully received! Regards, Simon

8 years, 2 months

1
0
0 / 0

Keycloak Standalone SSL

by Y Levine

I have the latest version of Keycloak running on a Red Hat Linux7 (all server specs followed). Added SSL via following steps here: http://www.keycloak.org/docs/1.9/server_installation_guide/topics/network... All seems good to this stage (standalone startup logs below). However the following are not accessible remotely (firewalld, and all other firewalls checked out) http://server-name:8080/auth https://server-name:8080/auth Have I missed other setting? ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /opt/keycloak-3.2.1.Final JAVA: /opt/jdk1.8.0_144/bin/java JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true ========================================================================= 15:45:44,940 INFO [org.jboss.modules] (main) JBoss Modules version 1.5.1.Final 15:45:45,138 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final 15:45:45,230 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0049: Keycloak 3.2.1.Final (WildFly Core 2.0.10.Final) starting 15:45:46,633 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http) 15:45:46,681 INFO [org.xnio] (MSC service thread 1-4) XNIO version 3.3.4.Final 15:45:46,692 INFO [org.xnio.nio] (MSC service thread 1-4) XNIO NIO Implementation Version 3.3.4.Final 15:45:46,760 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 27) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver (version 1.3) 15:45:46,842 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 32) WFLYCLINF0001: Activating Infinispan subsystem. 15:45:46,861 INFO [org.wildfly.extension.io] (ServerService Thread Pool -- 31) WFLYIO001: Worker 'default' has auto-configured to 4 core threads with 32 task threads based on your 2 available processors 15:45:46,903 INFO [org.jboss.as.connector] (MSC service thread 1-1) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) 15:45:46,909 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0018: Started Driver service with driver-name = h2 15:45:46,978 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 45) WFLYTX0013: Node identifier property is set to the default value. Please make sure it is unique. 15:45:46,995 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 40) WFLYNAM0001: Activating Naming Subsystem 15:45:47,011 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 38) WFLYJSF0007: Activated the following JSF Implementations: [main] 15:45:47,054 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 46) WFLYUT0003: Undertow 1.3.15.Final starting 15:45:47,070 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0003: Undertow 1.3.15.Final starting 15:45:47,074 INFO [org.jboss.as.naming] (MSC service thread 1-1) WFLYNAM0003: Starting Naming Service 15:45:47,074 INFO [org.jboss.as.mail.extension] (MSC service thread 1-1) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] 15:45:47,107 INFO [org.jboss.remoting] (MSC service thread 1-4) JBoss Remoting version 4.0.18.Final 15:45:47,370 INFO [org.jboss.as.security] (ServerService Thread Pool -- 44) WFLYSEC0002: Activating Security Subsystem 15:45:47,376 INFO [org.jboss.as.security] (MSC service thread 1-3) WFLYSEC0001: Current PicketBox version=4.9.4.Final 15:45:47,395 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 46) WFLYUT0014: Creating file handler for path '/opt/keycloak-3.2.1.Final/welcome-content' with options [directory-listing: 'false', follow-symlink: 'false', case-sensitive: 'true', safe-symlink-paths: '[]'] 15:45:47,416 INFO [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0012: Started server default-server. 15:45:47,417 INFO [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0018: Host default-host starting 15:45:47,485 INFO [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0006: Undertow HTTP listener default listening on 127.0.0.1:8080 15:45:47,571 INFO [org.jboss.as.ejb3] (MSC service thread 1-4) WFLYEJB0481: Strict pool slsb-strict-max-pool is using a max instance size of 32 (per class), which is derived from thread worker pool sizing. 15:45:47,571 INFO [org.jboss.as.ejb3] (MSC service thread 1-3) WFLYEJB0482: Strict pool mdb-strict-max-pool is using a max instance size of 8 (per class), which is derived from the number of CPUs on this host. 15:45:48,065 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-1) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 15:45:48,110 INFO [org.jboss.as.server.deployment] (MSC service thread 1-4) WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name: "keycloak-server.war") 15:45:48,111 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4) WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS] 15:45:48,112 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS] 15:45:48,162 INFO [org.jboss.as.server.deployment.scanner] (MSC service thread 1-2) WFLYDS0013: Started FileSystemDeploymentService for directory /opt/keycloak-3.2.1.Final/standalone/deployments 15:45:48,726 INFO [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0006: Undertow HTTPS listener https listening on 127.0.0.1:8443 15:45:48,788 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0002: Started loginFailures cache from keycloak container 15:45:48,803 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0002: Started sessions cache from keycloak container 15:45:48,806 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0002: Started realms cache from keycloak container 15:45:48,792 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started work cache from keycloak container 15:45:48,813 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 48) WFLYCLINF0002: Started actionTokens cache from keycloak container 15:45:48,815 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 49) WFLYCLINF0002: Started authorization cache from keycloak container 15:45:48,815 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 53) WFLYCLINF0002: Started authenticationSessions cache from keycloak container 15:45:48,816 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0002: Started users cache from keycloak container 15:45:48,817 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0002: Started offlineSessions cache from keycloak container 15:45:48,817 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0002: Started keys cache from keycloak container 15:45:49,729 INFO [org.keycloak.services] (ServerService Thread Pool -- 51) KC-SERVICES0001: Loading config from standalone.xml or domain.xml 15:45:50,238 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started realmRevisions cache from keycloak container 15:45:50,245 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started userRevisions cache from keycloak container 15:45:50,256 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started authorizationRevisions cache from keycloak container 15:45:53,247 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 51) HHH000204: Processing PersistenceUnitInfo [ name: keycloak-default ...] 15:45:53,299 INFO [org.hibernate.Version] (ServerService Thread Pool -- 51) HHH000412: Hibernate Core {5.0.7.Final} 15:45:53,300 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 51) HHH000206: hibernate.properties not found 15:45:53,302 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 51) HHH000021: Bytecode provider name : javassist 15:45:53,331 INFO [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 51) HCANN000001: Hibernate Commons Annotations {5.0.1.Final} 15:45:53,458 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 51) HHH000400: Using dialect: org.hibernate.dialect.H2Dialect 15:45:53,464 WARN [org.hibernate.dialect.H2Dialect] (ServerService Thread Pool -- 51) HHH000431: Unable to determine H2 database version, certain features may not work 15:45:53,503 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 51) Envers integration enabled? : true 15:45:54,069 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 51) HV000001: Hibernate Validator 5.2.3.Final 15:45:54,780 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 51) HHH000397: Using ASTQueryTranslatorFactory 15:45:56,143 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002225: Deploying javax.ws.rs.core.Application: class org.keycloak.services.resources.KeycloakApplication 15:45:56,144 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002205: Adding provider class org.keycloak.services.filters.KeycloakTransactionCommitter from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,145 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002200: Adding class resource org.keycloak.services.resources.ThemeResource from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,145 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002200: Adding class resource org.keycloak.services.resources.JsResource from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,145 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.RealmsResource from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002210: Adding provider singleton org.keycloak.services.util.ObjectMapperResolver from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.WelcomeResource from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.RobotsResource from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,146 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 51) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.ServerVersionResource from Application class org.keycloak.services.resources.KeycloakApplication 15:45:56,225 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 51) WFLYUT0021: Registered web context: /auth 15:45:56,274 INFO [org.jboss.as.server] (ServerService Thread Pool -- 47) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") 15:45:56,390 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management 15:45:56,390 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 15:45:56,390 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 3.2.1.Final (WildFly Core 2.0.10.Final) started in 11793ms - Started 448 of 823 services (561 services are lazy, passive or on-demand)

8 years, 2 months

3
2
0 / 0

security context cleared in KeycloakAuthenticationProcessingFilter

by Дмитрий Шохов

Hi! I have a question regarding spring security adapter. I have an angularjs app which opens websocket using sockjs and a backend using java and spring. I added authentication to the client and wanted to check authorization token when client sends websocket handshake to the server. Unfortunately sockjs doesn't allow to send additional headers because of some security concern. So I decided that I will do REST request before opening websocket with Authorization header and then websocket would be authorized because it would be the same http session. This works fine. Now the interesting part. When I do open the app first time websocket opens fine, but if I refresh the page websocket handshake returns the 401 code. I spent some time to find the reason for this and this is what I found: After the reload 1. I send the REST request and spring starts its filter chain 2. SecurityContextPersistenceFilter loads stored in http session security context and sets it to thread local SecurityContextHolder.setContext(contextBeforeChainExecution) 3. Down the filter chain KeycloakAuthenticationProcessingFilter starts and does the authorization, which is successfull and in successfulAuthentication method it continues the chain with chain.doFilter(request, response) 4. KeycloakAuthenticationProcessingFilter continues chain in try-finally block and after chain finishes it does clear the context with SecurityContextHolder.clearContext(); 5. SecurityContextPersistenceFilter in its finally block saves the security context back to http session repository which is HttpSessionSecurityContextRepository. Repository sees that there was authenticated security context before the chain started and now its is unauthenticated because keycloak filter cleared it and it clears it from http session. 6. Websocket handshake fails because there is no more authenticated security context in http session. After another reload or during the first load it works, because security context is eagerly saved from SessionManagementFilter, but SecurityContextPersistenceFilter sees that there was no context before chain started and no context after chain finished, so it does nothing and eagerly saved context survives in http session. It looks to me like KeycloakAuthenticationProcessingFilter should not clear context and if I remove that line in locally built version everything starts to work as I expect. But maybe I don't understand something, I'm pretty new to spring security. Waiting for your clarifications. keycloak-spring-security-adapter version 3.2.1.Final spring-security-web version 4.2.2.RELEASE Thanks, Dmitry

8 years, 2 months

1
0
0 / 0

Custom Authorization in Keycloak

by Muehlburger, Herbert

Dear Keycloak Community, we are evaluating Keycloak and have the use that that we cannot migrate authorization information (roles, permissions, ...) to Keycloak. We have this information stored in a legacy database. Is it possible to write an extension to Keycloak which handles with authorization decisions there? It would load our roles and permissions, etc. and decide if it grants access to the user or client being present. I know about the extension mechanism on writing custom User Store providers but I'm not sure if this is the right place to do that for authorization information as well? Thank you for any help, Best regard, Herbert? Herbert Mühlburger Senior System Engineer [http://signature.bearingpoint.com/BrP_Logo.png] T +43 316 8003 F +43 316 8003 1080 BearingPoint Seering 6, Block B 8141 Premstätten Austria herbert.muehlburger(a)bearingpoint.com <mailto:herbert.muehlburger@bearingpoint.com> www.bearingpoint.com<http://www.bearingpoint.com/> ________________________________ BearingPoint Technology GmbH Sitz: Premstätten bei Graz Firmenbuchgericht: Landesgericht für ZRS Graz Firmenbuchnummer: FN 44354b The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.

8 years, 2 months

2
3
0 / 0

Keycloak 3.3.0.CR1 Released

by Stian Thorgersen

We've just released Keycloak 3.3.0.CR1. To download the release go to the Keycloak homepage <http://www.keycloak.org/downloads>. HighlightsUpgraded to WildFly 11 CR1 We've upgraded the underlying container to WildFly 11 CR1. Cross DC Support We've done loads of work to support multiple data centers. It's not 100% completed yet, but we'd love it if folks could give it a go and let us know what works well and what doesn't. There will be a blog post soon on how to try this out. More Social We've added support for social login with BitBucket and Gitlab.com. Loads more.. - Dutch translation - thanks to gedejong <https://github.com/gedejong> and Jacob van Lingen - Pass login_hint to identity brokers - thanks to dmnboutin <https://github.com/dmnboutin> The full list of resolved issues is available in JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> . Upgrading Before you upgrade remember to backup your database and check the migration guide <https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationF...>. Release candidates are not recommended in production and we do not support upgrading from release candidates.

8 years, 2 months

1
0
0 / 0

CSRF vulnerability in Keycloak account service

by Prapti Mittal

Dear Keycloak Community, Though there is a CSRF token used in the Keycloak Account service, there is *CSRF token fixation vulnerability*. To prevent CSRF, a cookie named KEYCLOAK_STATE_CHECKER is used (CSRF defense method: "Double submit cookie"). The CSRF token is required to be unique for each session. But, as this cookie accepts user-agent provided value at login and doesn't clear the cookie at logout, the value of the CSRF token is same across sessions, for the users using the same user-agent. This vulnerability can be exploited by an attacker to steal this cookie from the victim's browser, even when there is no active victim session. And then, the value can be used by the attacker to perform the CSRF attack. The impact of this attack can be as bad as an attacker taking over as the admin of the IDP and exploiting any application hosted using this IDP service. A fix for the issue was requested at the below link, but it is deleted now, for no known reason : https://developer.jboss.org/thread/275577 My questions are: 1. Why was my fix request deleted? 2. If I fix the vulnerability (by initializing cookie KEYCLOAK_STATE_CHECKER at every login), it would be difficult to carry forward the code changes, for every new update from the JBoss community. How to manage such local fixes? 3. If there can be a work-around to the problem? https://stackoverflow.com/questions/45481833/csrf-vulnerability-in-keyclo...

8 years, 2 months

1
0
0 / 0

Multi Tenancy in one realm / roles with group context

by Max Bruchmann

Hi, I'm currently evaluating Keycloak for my usecase. We have a hierarchical multi-tenant application (sport clubs and teams ). As we have users that work in multiple clubs the multiple realm scenario is not feasible for our application. There are users that may have roles like "club-admin" for certain club or "team-admin" for a certain team To evaluate permission if a user can do something on a certain team like "modifying a team" or "create a training session" I would need to set the role of a club/team-admin into context of the club or team. When I understand it correctly the roles that are assigned by a group a user belongs are global, meaning if try to figure out if a user can modify a certain team, the resolved roles will not reflect in which team an user maybe a trainer-admin. Therefore to achieve some rules like this I could encode the club/team context in the roles name like "club-admin@123" or team "team-admin@987". Is this a scalable approach or is there better solution for this?

8 years, 2 months

1
0
0 / 0

Spring-boot adapter - securityConstraints when deploying to EAP7

by Geadah, Nicolas (VEC)

I am using the spring-boot adapter, everything works fine when running in an embedded Tomcat with the following security constraints taking effect perfectly from my application.properties: keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/* keycloak.securityConstraints[0].authRoles[0]=user As soon as I deploy to a WAR file in EAP7, the security constraint no longer takes effect and users are able to navigate to all pages in an unauthenticated fashion. Are any adjustments needed to the security constraints, or the WAR file itself, when deploying a spring-boot application with keycloak to JBoss/EAP7?

8 years, 2 months

1
0
0 / 0

Add / customize IDP

by Sjef

What is the preferred way to add an idp? Or customize the existing SAML idp? Why is the interface IdentityProvider in an artifact called keycloak-server-spi-private? Does this mean that it shouldn’t be used? Kind regards, Sjef

8 years, 2 months

1
0
0 / 0

User registration within own application

by christian lutz

Hello keycloak-team, we are facing a problem with the user registration we don't know how to solve proper. Situation: We do have a Web-Client and our own cxf REST endpoints. We secured it with keycloak. After we created a keycloak cxf admin client (see: [1]) it works realy nice. Currently we add the user manually, because we have to create serveral authorization resources. Something you described within the photoz example. [2] Question: How would you create your own user registration? We tried to adapt the existing user registration, we added additional input form for the new user. Then we created an event provider listining to the registration event. If a registration happens this provider calls our private REST endpoint, to create all groups and authorization resources for newly created user. This approach isn't very elegant. All of this is necessary because to create the corresponding authorization resources for a new user we need some id only our REST service is able to provide. E.g. /cxf/api/v1/dealers/{id} Any idea how to solve this in a more elegant way? [1]: https://github.com/ChristianLutz/keycloak-cxf-admin-client [2]: https://github.com/keycloak/keycloak/tree/master/examples/authz/photoz Mit freundlichen Grüßen / with best regards Christian

8 years, 2 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user August 2017