Restrict user's access to a client on keycloak-3.4.3.Final
by rachid sbaibi
Hi all,
I'm using keycloak-3.4.3.Final.
For our UXP applications we delegate the authentication to Keycloak but we need to do some additional checks before granting access to the user.
Our use case is quite simple: Not All registered users in Keycloak have access to our applications. So we need to insure that the user has permition to access our applications before granting him access to UXP. This is done in the backend.
I tried to map roles to user and client but this does not work.
Is there a way to achieve that?
Thanks in advance.
Rachid.
6 years, 1 month
SaaS idp brokering
by mj
Hi,
This question is slightly off-topic, I hope it's allowed to ask here.
We are using keycloak as an IdP, loving it. One of our sister institutes
is using another (openid connect / saml2 compatible) IdP.
Now a new project: Trying to achieve web SSO across both institutes, for
several web applications, mostly supporting only one single IdP.
We have made a PoC using keycloak's brokering function, and it worked
nicely. However, our sister institute prefers a SaaS solution.
I've done my googling, but terminology is confusingly different:
- onelogin ("trusted IdP")
- okta ("inbound federation")
- gluu ("inbound identity")
and obviously
- keycloak ("IdP brokering") (but not saas)
and I am not even sure that the above solution are really the same as
keycloak's IdP brokering, and that they would solve our SSO requirement.
(doing a PoC would be the next step)
So I am asking for recommendations from the guru's here. What are the
do's and don't for something like this? Perhaps suggestions what to look
for, what to avoid, what other products to take a look at, etc, etc.
Insights?
Thanks very much in advance, and again: apologies for being a bit
off-topic, hope not to offend anyone.
MJ
6 years, 1 month
ldaps configuration --> Bug or regression with ldap connection ulr
by Meissa M'baye Sakho
Hello everyone,
I'm facing a very strange behaviour using keycloak 4.5 Final while
configuring my realm user federation with ldaps.
When I set the ldap connection URL to ldaps://myldaphost. It works fine.
When I change it to LDAPS://myldaphost, the test connexion fails with the
exception below (extract):
*KC-SERVICES0055: Error when connecting to LDAP:
intra-dev01.bdf-dev01.local:636: javax.naming.CommunicationException:
intra-dev01.bdf-dev01.local:636 [Root exception is
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target]*
* at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)*
* at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)*
* at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)*
* at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)*
* at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)*
* at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)*
* at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)*
* Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target*
* at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)*
* at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)*
With Keycloak 3.4.3Final, I used LDAPS without any problem.
Any advice?
Meissa
6 years, 1 month
Policy API endpoint lacks crucial information (in my opinion ; )
by Geoffrey Cleaves
Hi. When querying the
http://${host}:${post}/auth/realms/${realm}/authz/protection/uma-policy
endpoint I get a response similar to this:
[
{
"id": "6d5ffed7-5f1c-4b43-b2a8-986528aaee92",
"name": "b189864a-754e-4b5d-9c5b-f36fd9aad102",
"type": "uma",
"scopes": [
"campaign:view"
],
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"owner": "45cb05ba-5485-459e-9cfc-25128adb1854",
"users": [
"user(a)domain.com"
]
}
]
The problem here is that we don't know what resource this policy applies
to. As far as I know, there is no way to extract that information. Please
let me know if I am missing something.
I tried inspecting the network calls that the Admin Console does when
listing a user's UMA policies, but unfortunately for me the information
seems to be rendered server side instead of using the UMA REST API.
The goal is to recreate and enhance the Keycloak supplied UMA My Resources
functionality.
6 years, 1 month
Querying permissions of the Policy API always empty
by Geoffrey Cleaves
Hi,
I'm sending GET requests to
http://${host}:${post}/auth/realms/${realm}/authz/protection/uma-policy
but only get an empty array. I have a permission/policy assigned to
hundreds of resources belonging to dozens of users and some resources owned
by the resource server itself. Reading the docs
<https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...>,
I expect to be able to get a list of all permissions or query by name.
Perhaps I am misunderstanding this:
This API is protected by a bearer token that must represent a consent
granted by the user to the resource server to manage permissions on his
behalf. The bearer token can be a regular access token obtained from the
token endpoint using:
- Resource Owner Password Credentials Grant Type
- Token Exchange, in order to exchange an access token granted to
some client (public client) for a token where audience is the resource
server
But I don't think so because if my token were wrong I'd get a 401 or 403
instead of 200 with an empty array. In any case I've tried with Client
Credentials Grant and Resource Owner Password Credentials Grant Type.
[image: Screen Shot 2018-11-18 at 12.19.25.png]
curl -D - -X GET \
https://.../authz/protection/uma-policy \
-H 'Authorization: Bearer eyJh' \
-H 'Cache-Control: no-cache' \
-H 'Postman-Token: deb09a7a-0499-430f-8164-3097e5ac145d' \
-H 'cache-control: no-cache'
HTTP/1.1 200 OK
Server: nginx/1.11.10
Date: Sun, 18 Nov 2018 11:23:41 GMT
Content-Type: application/json
Content-Length: 2
Connection: keep-alive
Cache-Control: no-cache
[]
Any advise?
6 years, 1 month
internal server error on /permission endpoint
by Robert Richter
Hi all,
I'm using keycloak 4.5.0-FINAL in docker (
https://hub.docker.com/r/jboss/keycloak/)
I try to issue a permission ticket. Therefore I have requested a PAT for
the client "resource-provider" and send this along with the following json
body (with and without scopes). I received a http-500 internal server
error.
without scopes:{
"resource_id": "resource-provider"
}
with scopes:
{
"resource_id": "resource-provider",
"resource_scopes": [
"private-data.read"
]
}
Did I miss something? I also tried to investigate the log file
(/opt/jboss/keycloak/standalone/log/server.log) and increase the log level
in standalone.xml, but it seems that nothing is written to that file. I
restarted jboss with jboss-cli.sh /:reload. Do you have any suggestions for
me?
Kind regards
Tobert
6 years, 1 month
SSO experience
by Ori Doolman
Hi,
I have 2 applications: one is desktop (Windows) and the other one is a web application.
My desktop application performs authentication and login using Keycloak, and getting a JWT Access Token.
My web application is using the Keycloak JS adapter to perform the same.
After I login to my desktop application, is there a way to pass the generated access token to the web application and continue the same session? Or at least have an SSO experience and get another token for the user without the user entering the credentials again?
Maybe I can pass the token and refresh token from desktop application as init parameters to the Keycloak-JS ?
I see the following code is checking if initOptions contains the token:
function processInit() {
var callback = parseCallback(window.location.href);
if (callback) {
window.history.replaceState({}, null, callback.newUrl);
}
if (callback && callback.valid) {
return setupCheckLoginIframe().success(function() {
processCallback(callback, initPromise);
}).error(function (e) {
initPromise.setError();
});
} else if (initOptions) {
if (initOptions.token && initOptions.refreshToken) {
setToken(initOptions.token, initOptions.refreshToken, initOptions.idToken);
Thanks,
Ori Doolman
Lead Software Architect
Amdocs Optima
[cid:image001.png@01D2C8DE.BFF33E10]
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
6 years, 1 month
Authenticated Protocol Mapper?
by Hannah Short
Hi,
I’d like to deploy a custom OIDC Protocol Mapper that is itself a client of Keycloak. Is this possible?
The objective is for the mapper to be able to call an API that is protected also by Keycloak.
The current approach was for the mapper to use the Client Credentials flow to authenticate, exchange the access token for one for the API client, and use it to call the API. This works OK until I deploy the mapper to Keycloak, where it throws various exceptions and does not seem to attempt the Client Credentials flow.
Any guidance, including alternative approaches, would be appreciated!
Cheers,
Hannah
6 years, 1 month
