December 2018 - keycloak-user - Jboss List Archives

Access permission as member of a specific group

by Julien Deruere

I would like to know how my resource-server can know which resource I can access as a member of a specific group. For now I'm doing this: request.post(`${kcConfig['auth-server-url']}/realms/${kcConfig.realm}/protocol/openid-connect/token`) .send({ grant_type: 'urn:ietf:params:oauth:grant-type:uma-ticket', audience: 'nimbee-gateway', response_mode: 'permissions' }) .set('Authorization', request.headers.authorization) .set('Content-Type', 'application/x-www-form-urlencoded') .set('X-Client', 'keycloak-nodejs-connect'); Which give me a list of all resources with permission I have since I'm in multiple groups. But how can I do to have only resources I can access for a specific group? Thanks

5 years, 12 months

1
0
0 / 0

use JBoss/Javaadapter to verify both realm and client roles

by Adrian Matei

Hi everyone, Is there a possibility to *declaratively* verify in the JBoss/JavaAdapter that the user(service account) has both REALM and Client roles? In the documentation I found the following: use-resource-role-mappingsIf set to true, the adapter will look inside the token for application level role mappings for the user. If false, it will look at the realm level for user role mappings. This is *OPTIONAL*. The default value is *false*. It sounds like is one or the other, which is kind of limited.... Thanks and regards, Adrian

5 years, 12 months

1
0
0 / 0

G Suite SSO incorrect redirect to admin.google.com

by Amin Khoshnood

Hello everybody, I configured Keycloak through this guide <https://stories.scandiweb.com/sign-in-to-google-apps-using-saml-protocol-...> ( https://stories.scandiweb.com/sign-in-to-google-apps-using-saml-protocol-...) and it imports users from FreeIPA (LDAP). Right now when I login to G Suite through Keycloak (SAML), Google redirects me to admin.google.com (with regular user account) and I get the error ' admin.google.com is for G Suite accounts only. Regular Gmail accounts cannot be used to sign in to admin.google.com. Learn more'. Google support team answered: "We have noticed that during these last few days a significant number of cases have been created about this same matter and overall integration with KeyCloack SSO. We understand how important this configuration is or you and believe me that we have been working as fast as we can." You can check these video casts about the problem: MacOS and Chrome: https://drive.google.com/file/d/16o6B0hzPtiMHBuG9CCBxe860o8JAE8w7/view?us... MacOS: https://drive.google.com/file/d/1Rk2KbV9iMsdg2UQox8p4XKz4soO7Gcuy/view?us... iPhone video: https://drive.google.com/file/d/12-6iWuL5xx3i0keFA5aPXpN5ghjH0uAn/view?us... Do you have the same issue with G Suite SSO or any other services? Also please let me know if there are any problems with other SPs (service providers) like Microsoft 365? Best Regards. Amin Khoshnood.

5 years, 12 months

1
1
0 / 0

NullPointerExeception when trying to obtain Requesting Party Token

by Julien Deruere

II need to access resources that the user is allow to: In my client I'm starting by obtaining a PAT: curl -X POST \ -H "Content-Type: application/x-www-form-urlencoded" \ -d 'grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}' \ "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/t..." And then using the access_token in the body to get my RPT: curl -X POST \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience={resource_server_client_id}" But I got this exception in Keycloak (I'm not sure what I'm doing wrong): 21:15:19,307 ERROR [org.keycloak.authorization.authorization.AuthorizationTokenService] (default task-10) Unexpected error while evaluating permissions: java.lang.RuntimeException: Failed to evaluate permissions at org.keycloak.authorization.policy.evaluation.DecisionPermissionCollector.onError(DecisionPermissionCollector.java:141) at org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:69) at org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:81) at org.keycloak.authorization.authorization.AuthorizationTokenService.evaluateAllPermissions(AuthorizationTokenService.java:239) at org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:166) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissionGrant(TokenEndpoint.java:1148) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:192) at sun.reflect.GeneratedMethodAccessor796.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.NullPointerException at org.keycloak.authorization.policy.evaluation.DefaultEvaluation$1.getUserGroups(DefaultEvaluation.java:255) at org.keycloak.authorization.policy.provider.group.GroupPolicyProvider.evaluate(GroupPolicyProvider.java:53) at org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.lambda$evaluate$1(AbstractPermissionProvider.java:51) at java.lang.Iterable.forEach(Iterable.java:75) at java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1080) at org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.evaluate(AbstractPermissionProvider.java:43) at org.keycloak.authorization.policy.provider.permission.ScopePolicyProvider.evaluate(ScopePolicyProvider.java:52) at org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.lambda$createPolicyEvaluator$0(DefaultPolicyEvaluator.java:107) at org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.cacheQuery(StoreFactoryCacheSession.java:981) at org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.findByResource(StoreFactoryCacheSession.java:879) at org.keycloak.authorization.AuthorizationProvider$3.findByResource(AuthorizationProvider.java:400) at org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.evaluate(DefaultPolicyEvaluator.java:68) at org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:64) ... 75 more

5 years, 12 months

1
0
0 / 0

How to get "current" AuthenticatorConfigModel without access to AuthenticationFlowContext

by Luis Cardozo

Hello, I am doing an Authenticator provider based on the SecretQuestionAuthenticator example. (Let's call it MyAuthenticator) In the SecretQuestionAuthenticator example, in *setCookie(AuthenticationFlowContext context)* we can get the "actual" AuthenticatorConfigModel directly: context.getAuthenticatorConfig() I want to use a new entry (added by the Factory, as in the example) in which I have an URL of an external service (the key is called "url.externalservice"). I can get the config entry it in MyAuthenticator#action(AuthenticationFlowContext context) without problem: AuthenticatorConfigModel config = context.getAuthenticatorConfig(). if (config != null) { externalServiceURL = config.getConfig().get("url.externalservice"); } But I also need to get the entry from another place. In this case in configuredFor(KeycloakSession session, RealmModel realm, UserModel user) Searching a lot, reading code and trying things, I got it from realm: realm.getAuthenticatorConfigs().get(0).getConfig().get("url.externalservice"); I also need to use it in MyAuthenticator*RequiredAction*, in processAction(RequiredActionContext context). But I don't have a context.getAuthenticatorConfig() in RequiredActionContext, so I also use it as: context.getAuthenticationSession().getRealm().getAuthenticatorConfigs().get(0).getConfig().get("url.externalservice"); But I am not sure that my "current configuration" will be always the position 0 of the array. We have realm.getAuthenticatorConfigByAlias() and getAuthenticatorConfigById(), but, how do I know wich is the alias or ID of the "current" context? So, how can I know the "current" AuthenticatorConfig Alias or ID, or how can I get the current AuthenticatorConfig from these places? Thanks, Luis Cardozo Ciudad del Este, Paraguay

5 years, 12 months

1
0
0 / 0

How to redirect back to our web app in error situation.

by Simon Buch Vogensen

Hi We are using Keycloak 2.5.5 (Redhat SSO 7.1) as an identity broker with Signicat.com as oidc identity provider. If Signicat for some reason (like user aborting Signicat login flow) returns an error to Keycloak. How am I able to redirect from there to my web app which initially started the request? Here is the url that Im redirected back to. As you can see there is no redirect url back to my web app. Is it possible to get hold of the redirect url from Keycloak via the state value? https://sso.server/auth/realms/realm/broker/oidc/endpoint?error=access_de... It seems like a part of the state is coming from Keycloak - heres the Keycloak request before being redirected to Signicat. https://sso.server/auth/realms/realm/broker/oidc/login?code=pQD4oJ2Hf3ueQ... As you can see in the code value, the part after the dot is the same as in state. Am I able to use that for accessing the redirect_uri? Kind Regards Simon Vogensen

5 years, 12 months

1
0
0 / 0

OIDC Identity Provider userinfo parsing problem

by Simon Buch Vogensen

Hi We are using keycloak 2.5.5 (redhat sso 7.1) as an identity broker with Signicat.com as oidc identity provider. When keycloak requests userinfo from signicat the response does not parse correctly. Here is an example response. {"sub":"xxxxxxxxxxxxxx","name":"Simon Vogensen","signicat.national_id":"123412341234","given_name":"Simon","locale":"SV","family_name":"Vogensen"} The problem is the dot in the parametername "signicat.national_id" conflicts with the JSON_PATH_DELIMITER in AbstractJsonUserAttributeMapper resulting in the value not getting parsed at all. The fix I have come up with would be a currentNode = baseNode.get(fieldPath); call after no node has been found. See line 206. I guess this little problem does not qualify for a fix of 2.5.5 - and I don't want to patch our installation - so I guess my best option is to create a specific Signicat Identity Provider - and fix the response in there before sending it into keycloak? Is this problem fixed in newer versions of keycloak? Thanks in advance Regards Simon Buch Vogensen

5 years, 12 months

2
2
0 / 0

URLs in REST API Documentation

by Gareth Western

I'm reading about the REST API and in the documentation (e.g. https://www.keycloak.org/docs-api/4.6/rest-api/index.html#_users_resource) it mentions that the "BasePath" is "/auth" So, for example, to get a list of all users for a realm the URL is documented as "/{realm}/users". This implies that the full URL would be something like GET "http://localhost:8080/auth/{realm}/users" however this returns a 404. All other examples and questions about getting a user seem to use the "admin/realms/{realm}/users" url (i.e. " http://localost:8080/auth/admin/realms/{realm}/users"). Is the documentation incorrect? Kind regards, Gareth

5 years, 12 months

1
0
0 / 0

Are the URLs in the REST API documentation correct?

by Gareth Western

I'm learning about the REST API and in the documentation it mentions that the "BasePath" is "/auth" To get, for example, a list of all users for a realm the (GET) URL is documented as "/{realm}/users". This implies that the full URL would be something like "http://localhost:8080/auth/{realm}/users" however this returns a 404. All other examples and questions about getting a user seem to use the "admin/realms/{realm}/users" url (i.e. " http://localost:8080/auth/admin/realms/{realm}/users"). Is the documentation incorrect? Kind regards, Gareth

5 years, 12 months

1
0
0 / 0

Public client token to Bearer Token

by Hariprasad N

Hi All, How can I use JWT token created with public client to access Rest API in Bearer-Only client. -- Thanks & Regards, Hari Prasad N Senior Software Engineer ------------------------------------------------- Ramyam Intelligence Lab Pvt. Ltd., Part of Arvato 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, Bangalore – 560001, Karnataka, India. Phone: +91 80 67269266 Mobile: +91 7022156319 E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m* *www.ramyamlab.com* <http://www.ramyamlab.com/>

5 years, 12 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user December 2018