Fine-grained permissions per resources on KeyCloak
by Yuriy Yunikov
Hi everyone,
I need to create a fine-grained permissions system for backend resources
using KeyCloak and looking for potential solutions of the problem.
I've already checked resource management feature
<http://www.keycloak.org/docs/3.3/authorization_services/topics/resource/o...>,
but it doesn't work for me for the multiple reasons and has very limited
integration in Java, so I don't consider it anymore.
So another solution I came up with is having permission system based on
roles and composite roles
<http://www.keycloak.org/docs/3.3/server_admin/topics/roles/composite.html>.
[role-name] (composite)
- tenants:[permission] (composite)
- tenants:[tenant-identifier]:[permission] (composite)
- tenants:[tenant-identifier]:[tenant-resource]:[permission] (composite)
-
tenants:[tenant-identifier]:[tenant-resource]:[tenant-resource-identifier]:[permission]
(non-composite)
Permissions can be like create/read/update/delete and the plus of this is
that it can scale if we'd have sub-resources. On the backend, I'll be able
to create filters for these permissions and integrate it with Spring
Security.
I'm looking for opinions and would like to know if this is a valid
structure or there are some other solutions which can be used. Any opinions
on this?
Regards,
Yuriy
6 years, 11 months
validating an access token from an external service with a public client
by Rafael Chaves
Hi,
Keycloak/OAuth newbie here, possibly asking a silly question. This is the
architecture we have:
1) a web application, with authentication done via keycloak
2) an external service (REST API) that is invoked by the application above
In that external service, I would like to implement a simple mechanism that
allowed me to ensure the requests received are made by a valid user in that
web application. We do not necessarily care about obtaining user
information at this point (or permissions).
The initial idea is that the web application would pass, in every
request to the external service, an access token generated by Keycloak.
The external service would then ensure that then token is indeed valid,
which we assume involves accessing the Keycloak server (that would be fine).
We looked into the entitlement API and that was pretty close (one legged
verification), but it seemed to require the "Authorization Enabled" toggle
to be ON in the client configuration. We do not understand the entire
impact of enabling that configuration. But we noticed that at least the
client is then required to use a secret to work, which the web applications
currently does not use. Can that change be avoided, and are there other
impacts?
BTW, we are using Keycloak 3.3.0.Final.
Thank you,
Rafael
6 years, 11 months
password policy | Not (containing) Username
by lists
Hi,
We would like to also prevent passwords *containing* the username, to
also prevent passwords like Username_1980
The regular password policy "Not Username" only matches exact
"username", rather than anything containing the username.
Would it be possible to create a regex password policy to match a
password *containing* the username? But I don't think this is possible..?
Or perhaps I could file a feature request to change the current policy
into "Not containing username"?
MJ
6 years, 11 months
Keycloak 3.4.3, custom SPI deployment: noclassdef-error caused by ClassNotFoundException when trying to call LDAPStorageProvider
by Dominik Guhr
Hi everyone,
sorry for spamming, but I have another problem here:
I am using maven to deploy my jar-file to keycloak 3.4.3.
I added the dependencies for kerberos and ldap federation like this
(with and without scope provided):
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-kerberos-federation</artifactId>
<version>3.4.3.Final</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-ldap-federation</artifactId>
<version>3.4.3.Final</version>
</dependency>
In my IDE I can call the Classes in Question, e.g. LDAPStorageProvider,
but when the jar is successfully deployed to keycloak, I get the
following exception when my method is called:
...Caused by: java.lang.ClassNotFoundException:
org.keycloak.storage.ldap.LDAPStorageProvider from [Module
"deployment.ldap-authenticator.jar" from Service Module Loader]
I looked in modules/...keycloak/ and saw all jars lying there in version
3.4.3.Final, I even looked inside with jar -tf, and the class in
question is provided. As said, I tried to use scope provided and no
scope, without effect.
Apart from that, I changed the module.xml for the private jars by
removing the private part from them and restarting the kc server, but
without any effect.
At this link u can see the build-definition of my pom.xml:
https://pastebin.com/xgHdSGFa
So, am I missing something? Hope anyone could help me out here. :/
6 years, 11 months
EJB sessionContext.isCallerInRole
by JOSE INACIO DA SILVA JUNIOR
Hi!
I'm migrating a big JavaEE application to Keycloak and I'd like to keep using default JavaEE security methods like isCallerInRole or hasRole.
My roles are generated programatically. How can I generate principal's roles programatically with Keycloak? Anyone could point me an example?
Thanks
Inácio
6 years, 11 months
keycloak proxy - How to hide the path after the TLD
by kevin_walsh@deichmann.com
Dear list,
I need to access static html views of our documentation server after
authenticating users using keycloak.
The html views are available at
http://documentation:8090/view/department1
http://documentation:8090/view/department2
http://documentation:8090/view/department3
...
My idea was to use the keycloak proxy as follows:
keycloak-proxy:8081 for department1
keycloak-proxy:8082 for department2
keycloak-proxy:8083 for department3
...
BUT I would like my users to see only keycloak_proxy:8081 not the
following path, while they get the information of the respective path. Can
I do this with keycloak proxy and which settings would I need?
In a next step I need to add a proxy for Internet users to access the
keycloak-proxy to hide even the "keycloak-proxy:PORT".
My current proxy_department1.json is this (obviously without any path
mappings):
-begin-----------------------------------------------------------------------
{
"target-url":"http://documentation:8090",
"bind-address":"0.0.0.0",
"http-port":"8081",
"applications":
[
{
"base-path":"/",
"adapter-config":
{
"realm": "Manuals",
"auth-server-url": "
http://keycloak-proxy:8080/auth",
"ssl-required": "none",
"resource": "keycloak-proxy",
"credentials": {"secret": "1234"},
"use-resource-role-mappings": false,
"confidential-port": 0
},
"constraints":
[
{
"pattern":"*",
"roles-allowed":["manuals_user"]
},
{
"pattern":"/view/manuals/*",
"roles-allowed":["manuals_user"]
}
]
}
]
}
-end-----------------------------------------------------------------------
Thank you & kind regards
Kevin Walsh
IT Software Development | Documentation
Phone: +49 201 8676 932
Fax: +49 201 8676 49932
Mobil: +49 177 6664666
kevin_walsh(a)deichmann.com
Von: keycloak-user-request(a)lists.jboss.org
An: keycloak-user(a)lists.jboss.org
Datum: 24.01.2018 14:26
Betreff: keycloak-user Digest, Vol 49, Issue 49 <Virus checked>
Gesendet von: keycloak-user-bounces(a)lists.jboss.org
Send keycloak-user mailing list submissions to
keycloak-user(a)lists.jboss.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.jboss.org/mailman/listinfo/keycloak-user
or, via email, send a message with subject or body 'help' to
keycloak-user-request(a)lists.jboss.org
You can reach the person managing the list at
keycloak-user-owner(a)lists.jboss.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of keycloak-user digest..."
Today's Topics:
1. Re: Possibility to set new Provider in authentication flow
for non-unique usernames (Dominik Guhr)
2. Re: Validate User Credentials Without Creating a Session
(Marek Posolda)
3. Re: DB changes not refreshing on cluster nodes. (Marek Posolda)
4. Re: DB changes not refreshing on cluster nodes. (Angel Abella)
----------------------------------------------------------------------
Message: 1
Date: Wed, 24 Jan 2018 12:52:58 +0100
From: Dominik Guhr <pinguwien(a)gmail.com>
Subject: Re: [keycloak-user] Possibility to set new Provider in
authentication flow for non-unique usernames
To: keycloak-user(a)lists.jboss.org
Message-ID: <43b5c623-a20c-0c17-fab3-bd7d19f126d7(a)gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
p.s. one provider uses Kerberos for Authentication, other does not.
Am 24.01.18 um 12:51 schrieb Dominik Guhr:
> So, further investigation notes:
>
> I think I should call the Provider like it's done here:
>
https://github.com/keycloak/keycloak/blob/master/examples/providers/user-...
> in the create method, which allows me to call the corresponding
> isValid(...) method of the required providers and only set the boolean
> return value of validatePassword to false if the credentials doesn't
> match in any of the providers.
>
> But to call this for ldap-providers set by admin interface, I need two
> things:
>
> a) a Componentmodel.
> Concrete Question: Anyone knows how to get the right ComponentModel
> instance to use from my AuthenticationFlowContext of
> AbstractUsernameFormAuthenticator.java? I've seen that it's possible to
> get a List of ComponentModels by calling
> context.getRealm().getComponents(), or by getComponent(String s), but I
> don't know which String would be the valid parameter or which Model I
> should take out of the List.
>
> b) the lookup-path.
> Concrete question 2: Anyone knows how to get it form the internally used
> Factories or s.th.?
>
> My Providers are 2 ldap directories which I want to iterate over for the
> username.
>
> Thanks in advance!
>
> Best regards,
> Dominik
>
> Am 24.01.18 um 09:27 schrieb Dominik Guhr:
>> Hi everyone,
>>
>> I'm implementing an authentication SPI execution on top of the
>> "normal" username/password form of kc 3.4.3.Final. ->
>>
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
>>
>>
>> Sadly, usernames are not unique atm, so I need to change the
>> execution, so that it doesn't stop with "invalid credentials" for a
>> user who was found in one Provider.
>>
>> Instead of giving the "invalid credentials"-error, I want my execution
>> to first check all other providers for the same username, and then
>> check the credentials against all matches. And just in case of no
>> credentials matching, it should fail, or login a new session for this
>> user when one is found in any of my (3) Providers, which are added by
>> user federation feature (2 ADs, one by a custom user storage SPI).
>>
>> So I drilled it down to the method validatePassword(...) in
>> AbstractUsernameFormAuthenticator.java ->
>>
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
>> line 191, which I want to change accordingly. Sadly, I can't find a
>> method to get all Providers of the realm and check accordingly. The
>> code I want to change is:
>>
>> if (password != null && !password.isEmpty() &&
>>
context.getSession().userCredentialManager().isValid(context.getRealm(),
>> user, credentials)) {
>> ???????????? return true;
>> ???????? } else {...}
>>
>> instead of just checking isValid() for one provider, which is what
>> this does atm, I want to check all Providers. Like this pseudocode:
>>
>> if (password != null && !password.isEmpty() &&
>>
context.getSession().userCredentialManager().isValid(context.getRealm(),
>> user, credentials)) {
>> ???????????? boolean isValid = false;
>> ???????? List<Provider> realmProviders = context.getAllProviders();
>> ???????? for(Provider provider : realmProviders){
>> ???????????? isValid = provider.isValid(...);
>> ???????? }
>> ???????????? return isValid;
>> ???????? } else {...}
>> Could anyone perhaps give me a hint in how to achieve this? I haven't
>> found a method yet to get all Providers and check for isValid in any
>> of the given ones.
>>
>> Best regards,
>> Dominik
>>
>> p.s. I created a stackoverflow question here:
>>
https://stackoverflow.com/questions/48399622/keycloak-check-password-in-m...
>> feel free to comment/answer there :)
------------------------------
Message: 2
Date: Wed, 24 Jan 2018 13:59:05 +0100
From: Marek Posolda <mposolda(a)redhat.com>
Subject: Re: [keycloak-user] Validate User Credentials Without
Creating a Session
To: Scott Finlay <scott.finlay(a)sixt.com>,
"keycloak-user(a)lists.jboss.org"
<keycloak-user(a)lists.jboss.org>
Message-ID: <97c207c9-6f96-bd7c-b37f-27449b0b033a(a)redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Hi Scott,
it's not available OOTB, but you can add your own REST endpoint to
verify username/password. Or alternatively you can just do directGrant
login (OAuth2 Resource Owner Password Credentials Grant) and then logout
session.
Marek
On 23/01/18 09:49, Scott Finlay wrote:
> Hi,
>
>
> We're currently using Keycloak 2.5.5.Final, and in this version it's not
possible
>
> to validate a user's credentials (username / password combination)
without
>
> actually logging the user in which results in a session (and our
sessions are long-
>
> lived). Is there any new functionality introduced in the later versions
of Keycloak
>
> to validate the credentials without actually logging the user in?
>
>
> Our use-case is that we have very long-lived tokens, but we want to
require the
>
> user to re-enter his/her password in order to perform some certain
sensitive tasks
>
> such as changing the password or username.
>
>
> If such functionality is not available, would it be possible to add
this?
>
>
> Regards,
>
> Scott
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
------------------------------
Message: 3
Date: Wed, 24 Jan 2018 14:00:56 +0100
From: Marek Posolda <mposolda(a)redhat.com>
Subject: Re: [keycloak-user] DB changes not refreshing on cluster
nodes.
To: Angel Abella <aabella(a)bkool.com>, keycloak-user(a)lists.jboss.org
Message-ID: <f29aac0f-e038-b725-9e81-68bfe0fb3f2d(a)redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
I guess your cluster is not correctly setup, hence the node doesn't
correctly propagate invalidation event to the other nodes and those
nodes still see the stale entries in their cache. See Keycloak
clustering documentation for more details how to setup/troubleshoot it.
Marek
On 23/01/18 13:01, Angel Abella wrote:
> Hello list!
>
> We are experiencing some problems with our standalone-ha setup of
Keycloak
> 2.4.0.
> Everithing works as expectd except ehn a user changes a password or is
> added or removed from a group. When this happens the node making the
change
> is aware of it, but the other one does not until it is restarted.
>
> Any idea of what is going on?
>
>
>
>
------------------------------
Message: 4
Date: Wed, 24 Jan 2018 14:16:14 +0100
From: Angel Abella <aabella(a)bkool.com>
Subject: Re: [keycloak-user] DB changes not refreshing on cluster
nodes.
To: Marek Posolda <mposolda(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Message-ID:
<CAAGXFYyqzqsR7Hs5+ZdOM2N5-VuPdurMdvsDx58LFrJg5Q8oow(a)mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
I've revised docs but everything seems to be ok.
I am attaching the configuration file just in case someone can see what
I'm
missing.
2018-01-24 14:00 GMT+01:00 Marek Posolda <mposolda(a)redhat.com>:
> I guess your cluster is not correctly setup, hence the node doesn't
> correctly propagate invalidation event to the other nodes and those
nodes
> still see the stale entries in their cache. See Keycloak clustering
> documentation for more details how to setup/troubleshoot it.
>
> Marek
>
>
> On 23/01/18 13:01, Angel Abella wrote:
>
>> Hello list!
>>
>> We are experiencing some problems with our standalone-ha setup of
Keycloak
>> 2.4.0.
>> Everithing works as expectd except ehn a user changes a password or is
>> added or removed from a group. When this happens the node making the
>> change
>> is aware of it, but the other one does not until it is restarted.
>>
>> Any idea of what is going on?
>>
>>
>>
>>
>>
>
--
Angel Abella
*IT *
*BKOOL* *Connect* *| Sport*
mail: aabella(a)bkool.com
mob: +34 691 77 18 98
add: C/ San Joaqu?n 3 - 28231 Las Rozas - Madrid
www.bkool.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: standalone-ha.xml
Type: text/xml
Size: 30861 bytes
Desc: not available
Url :
http://lists.jboss.org/pipermail/keycloak-user/attachments/20180124/c4443...
------------------------------
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
End of keycloak-user Digest, Vol 49, Issue 49
*********************************************
6 years, 11 months
DB changes not refreshing on cluster nodes.
by Angel Abella
Hello list!
We are experiencing some problems with our standalone-ha setup of Keycloak
2.4.0.
Everithing works as expectd except ehn a user changes a password or is
added or removed from a group. When this happens the node making the change
is aware of it, but the other one does not until it is restarted.
Any idea of what is going on?
--
Angel Abella
*IT *
*BKOOL* *Connect* *| Sport*
mail: aabella(a)bkool.com
mob: +34 691 77 18 98
add: C/ San Joaquín 3 - 28231 Las Rozas - Madrid
www.bkool.com
6 years, 11 months
