Keycloak realm certificates be passed to Knox?
by Jamie McDowell
Hi,
I am trying to find a way to be able to retrieve a realm certificate which can then be passed to Knox. When a realm is deployed, it generates a new public key, therefore any Knox Configuration would have to be updated with new corresponding certificates.
Knox is used to decrypt singed JWT's.
Is this something that can be achieved?
Thanks
Jamie
6 years, 2 months
Organization Based Accounts and Permissions
by Charles Henck
Hello all,I’m working on an organization-based service and want to have resource-specific permissions that are restricted by (from a user perspective) organization-specific roles. Since I’m not familiar with the specific terminology, I’m thinking of something similar to how GitHub manages their permissions:- A single user can be a member of multiple organizations- A user can have a different roles with different organizations that grant them access to all of an organization's resources- A user can have access to a specific resource- That organization-specific role determines access to different organization resourcesAre there any best practices or patterns for this model? Thanks!Justin
6 years, 2 months
keycloak-gatekeeper bearer-only
by Eric Boyd Ramirez
Dear All,
I am trying to test Keycloak-gatekeeper, have read the docs I could find (keaycloak-proxy as well) but I still have a few questions:
1- I am trying to secure a number of REST APIs, configured behind bearer-only clients. I think I need to first get a access token trough a confidential client using a 'grant-type=password' request and then do a second request to the REST client resource. Is this the right approach, how would I implement this using Keycloak-Gatekeeper?.
2- Keycloak-Gatekeeper uses uri->methods->roles to manage resource access. Is there a way to use Keycloak's authorization settings to manage access to a client's resource (i.e. policies, permissions, uma-ticket, etc.)?
3- How do I set up multiple clients, do I have to run and configure separate instances of Keycloak-Gatekeeper?
Thanks in advance for your time and help.
Regards,
6 years, 2 months
Keycloak Gatekeeper CORS problem
by Geoffrey Cleaves
I'm having a problem accessing a REST service protected by Gatekeeper via
AJAX. I have tried many different combinations of settings in the config
file to no avail. I suspect the Gatekeeper has a bug.
I can access the protected endpoint directly (via Gatekeeper) with no issue
as there is no CORS. I can use the AJAX method successfully when I use a
Chrome plugin to enable CORS for these endpoints.
The message from Chrome is:
Access to XMLHttpRequest at 'http://domain.com:3001/endpoint.php' from
origin 'http://domain2.com:8888' has been blocked by CORS policy: Response
to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested resource.
I see that Chrome only sends an OPTIONS request to Gatekeeper, which does
not respond with a Access-Control-Allow-Origin header at all, despite my
config settings below.
My config.yml file looks like this:
client-id: {id}
client-secret: {secret}
discovery-url: {keyclock end point}
enable-default-deny: true
encryption_key: {32characters}
listen: 0.0.0.0:3000
redirection-url: http://domain2.com:3001
upstream-url: http://localhost:8888
secure-cookie: false
verbose: true
#preserve-host: true
resources:
- uri: /admin*
methods:
- GET
roles:
- test-php-api:test1
- client:test2
require-any-role: true
groups:
- admins
- users
- uri: /endpoint.php
roles:
- test-php-api:test1
- uri: /backend*
roles:
- test-php-api:test1
- uri: /public/*
white-listed: true
- uri: /favicon
white-listed: true
- uri: /css/*
white-listed: true
- uri: /img/*
white-listed: true
cors-origins:
- '*'
cors-methods:
- GET
- POST
Any ideas?
Geoff
6 years, 2 months
Multitenant KeycloakConfigResolver
by Vagelis Savvas
Hello,
in a multitenant app on Wildfly 14.0.1 with a bearer-only REST API to
protect I would like some URLs
to not be secured. So I would like my custom KeycloakConfigResolver
implementation
to not be called when those URLs are hit but it is. The reason I don't
want my KeycloakConfigResolver to be called is simply because
I have no clue as to what to return in that case: its a non-secured REST
endpoint so a Keycloak realm doesn't make sense in my understanding.
My setup follows the docs: I've installed the adapter for Wildfly and
the web.xml has the necessary setup for not securing some URLs (no
auth-constraint for those URLs)
Also in jboss-web.xml the security-domain element isn't defined,
although I don't know if that plays any role.
My final goal is to have some URLs secured by using the JBoss specific
@SecurityDomain and the standard @RolesAllowed etc annotations.
Can you please shed some light on this matter? I'd greatly appreciate
any detailed explanation of the mechanisms involved in this area.
Cheers,
Vagelis
6 years, 2 months
PKCE and Keycloak
by Bojan Milosavljević
Hello,
Is PKCE (if my adapter supports PKCE of course) automatically supported by
default by Keycloak or do I have to implement it myself?
Thank you.
Kind regards,
Bojan Milosavljevic.
6 years, 2 months
How to increase logging
by Saranya Mahalingam
Hello,
Authentication component is not coming up. I don't see any errors in logs.
So thought of improving the logs using JAVA_OPTS like:
name: JAVA_OPTS
value: -Dkeycloak.logging.level=debug
But I don't see any changes in the logs even after setting the above value.
Tried few other options too without success. Do you have any suggestions
here? Let me know if you need any other information.
Thanks,
Saranya
6 years, 2 months
User Federation for Admin Users
by Pulkit Srivastava
Hi,
Is it possible to use an external user federation for admin users in
keycloak. These users should be able to login to keycloak admin.
Thanks,
Pulkit
6 years, 2 months