Wrap a Legacy Identification / Authentication Service
by Logan HAUSPIE
Hello there,
I'm a french guy so forgive my poor english.
I'm very new to Keycloak. I know a bit of things about OAuth2 but not usual
to tweak it with Plugins/Provider/Mapper and so on.
So you maybe could help me.
My Legacy Service
-------------------------------------------------------------------
Input (application/x-www-form-urlencoded) :
login
password
flag
Output JSON :
{
"identity": {
"civilite": "Mr",
"email": "",
"iad": "USER_IDENTIFIER",
"mes": "",
"nom": "HAUSPIE",
"prenom": "Logan",
"rcd": "ACC",
"sid": "0MZvh5mJVfQ5sPsZS10JW6mcTQPGxJSJzy2J6" <1>
}
}
<1> This is the JSessionID, so it's a session-specific data, not
user-specific data
or this one if something goes wrong :
{
"identity": {
"rcd": "ERR",
}
}
My purpose is to implement OAuth2 (OIDC) based on my legacy service without
modifying it and without migrating all my users to Keycloak local storage.
I also want to add all these properties (especially sid) to the access
token at `LOGIN` time but it's maybe another topic, or not.
My Keycloak installation
-------------------------------------------------------------------
Version 3.4.3.Final with Docker
Java 8 developper
What I've already tried
-------------------------------------------------------------------
I found some information about that here :
- https://github.com/keycloak/keycloak/tree/master/examples/providers
- http://lists.jboss.org/pipermail/keycloak-user/2016-June/006470.html
(too old to be usefull because it deals with UserFederationProvider that
does not exist anymore in 3.4.3.Final version)
- https://github.com/Smartling/keycloak-user-migration-provider (too old
to be useful, for same reason)
Authenticator doesn't seem to be what I need (according to this maybe too
old answer :
http://lists.jboss.org/pipermail/keycloak-user/2016-June/006470.html)
because I don't want to add some additionnal authentication
information/form. Maybe I'm wrong.
So according to this documentation about "[migrating from an earlier
UserFederationProvider](
http://www.keycloak.org/docs/3.4/server_development/#migrating-from-an-ea...)"
and based on my previous research, I tried to write my own implementation
of UserLookupProvider mixin CredentialInputValidator (a.k.a.
UserStorageProvider) to call my legacy service.
The first problem is that when Keycloak is calling getUserByUsername it
doesn't provide the user password so I'm not able to get the user
information from my legacy service at this time.
The second problem is that getUserByUsername is called before isValid so I
can't "store" the user password during the call to isValid in order to use
it in getUserByUsername.
Secondary subject
-------------------------------------------------------------------
During these tries, I tested to inject a random JSessionID data into
UserModel.attribute map but this data is "stored" (I don't know how and
why).
So when I log in again (using the authorization code grant flow) the
getUserByEmail method of my Provider is not called again so the JSessionID
is not updated.
As far as I understand, adding information inside UserModel.attribute map
makes this information user-specific and not session-specific.
I need to request my Legacy Authentication Service on each login to update
the JSessionID coming from the legacy service.
My Questions
-------------------------------------------------------------------
Am I on the wrong way about calling my legacy service?
Did I miss something in the identification/authentication sequence of
Keycloak?
Is there an other way to do what I need to do ?
How to inject session-specific data as claim inside JWT ?
Thank's in advance for your valuable support.
Best regards,
*Logan HAUSPIE*
6 years, 11 months
Add provider to flow
by Daan Zwaenepoel
Hi,
I am building a custom registration flow in our keycloak app.
What I already did is written a new provider that implements FormActoin
and FormActionFactory. I also did add a new flow in the admin panel. The
problem that I have is that I don't know how to link my flow to my new
provider (it dont show up in the drop down when I do /Add execution/).
Do I need to add something to standalone.xml or do I miss something bigger?
The documentation is not very useful , from
http://www.keycloak.org/docs/3.3/server_development/topics/auth-spi.html
:/" I’m hoping the UI is intuitive enough so that you can figure out for
yourself how to create a flow and add the FormAction."/
Thanks
Daan
6 years, 11 months
Default Client Template for Dynamic Clients
by Jonas Schönenberger
Hi everyone
Is it possible to define a default client template that every new dynamic
client (OpenID Connect Dynamic Client Registration) receives during
registration?
Thank you for your help and Best Regards
Jonas
6 years, 11 months
Email verification before user registration
by Adrian Gonzalez
Hello,
Is there a way to verify user email before completing the user registration ?
Thanks for the tips !
P.S. I've tried to create custom FormAuthenticator and FormAction to display a first page in Registration Flow, adn send a verification email, but I'd need to resume the registration flow when the user clicks on an email link (and I don't know how).So I suppose, this is not the way to go.
6 years, 11 months
(no subject)
by Celso Agra
All,
Please. need some help on admin client. I'm trying change a LDAP attribute
from my Keycloak server. When I change this info, my user just disappear
from Keycloak, and I have to synchronize it again.
Am I doing something wrong?
Here is my code below:
*public void setAttribute(String id, String attr) {*
* RealmResource realmResource =
keycloak.realm(properties.getKeycloakAppRealm());*
* UserResource userResource = realmResource.users().get(id);*
* UserRepresentation userRepresentation = userResource.toRepresentation();*
* userRepresentation.setAttributes(mapAttribute("LDAPAttribute", attr));*
* userResource.update(userRepresentation);}*
PS.: this info is set on LDAP user when I call this method, but it looks
like the user is removed or unsynck from keycloak.
PS.2: I'm using slapd (openLDAP)
Best Regards,
--
---
*Celso Agra*
6 years, 11 months
Refreshing Tokens
by Christopher Davies
I adding keycloak into a legacy application that uses GWT and Jetty.
I have managed to get add Keycloak application using Spring-security.
Because this is GWT I am doing the authorisation in the application myself.
Sping just provides a way to get access to the KeycloakSecurityContext.
The issue I have is refreshing the token. I can get hold of
a RefreshableKeycloakSecurityContext instance
and use that to get a refresh token. What surprised me is that I cannot
refresh a token if the roles have changed.
Is this correct. I was hoping that the application could notice the role
changes and adapt itself on the fly.
I do not want to have to logout to get the new roles it at all possible. Is
there something that I have overlooked that will allow
me to use the idToken to get a new accessToken given that the
authentication of the user is still valid, it is just the roles the user is
in that have changed.
Thanks
Chris
6 years, 11 months
Keycloak 3.4 and Oracle Timesten
by Upananda Singha
Hi all,
I have been trying to configure Keycloak with Oracle Timesten but without
any success.
Anybody ever tried Timesten as backend Database for Keycloak? It would be
of great help if anyone can give some pointer whether Timesten can be at
all
used with Keycloak 3.4.
Thanks & regds,
*Upananda *
6 years, 11 months
keep login state after closing browser
by Ori Doolman
Hi,
My web application is using the Keycloak JS adapter, and I'm using the 'implicit' flow for getting the access token.
I have a requirement to prevent the user from keying again passwords for 24 hours (assuming the token is expired after 24 hours), even after browser is closed and re-opened.
There is a cookie called 'KEYCLOAK_IDENTITY', which I assume preserve the login state, but it is a session cookie and it is deleted after closing the browser window.
I also see that in the initOptions of the adapter, I can pass an existing access token by the 'token' property. Hence, I was thinking to persist the 24hours access token into localStorage and then read it and pass as part of initOptions to the adapter when my application starts.
However, I cannot make it work and I'm not even sure this is possible to do so.
Is it possible to use the 'token' initOption like that?
If not, is there a recommended approach for implementing such requirement ?
Thanks,
Ori Doolman
Lead Software Architect
Amdocs Optima
+972 9 778 6914 (office)
+972 50 9111442 (mobile)
[cid:image001.png@01D2C8DE.BFF33E10]
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
6 years, 11 months
Custom regstration flow
by Daan Zwaenepoel
Hi,
I am Daan Zwaenepoel, A last year student ict. For my student job I have
to intragte keycloak into a angular app.
What I already did setup the keycloack sever, making the link to the
angular app, start a custom theme and the login flow works.
My next task is to build the registration page and make it work. The
last point is where i have been stuck for a while.
In the keycloack base regastration flow you have the base fields
username,firstname, lastname,email,password and password-confirm. Now
the point where I have been stuck, In our registration we have one more
field and I dont no how to add this costume field to the flow. Is there
anyone who can help me or give me tips by buidling this custom
registration flow?
Thanks!
Daan
6 years, 11 months
RH-SSO security patches in Keycloak
by RickT153 .
Hello,
I have found that there have been a few security issues, which have been
patched for RH-SSO.
https://access.redhat.com/errata/RHSA-2017:2904
I assume that Keycloak has been affected by the same problems, as RH-SSO is
based on Keycloak. However, I could not find any resources indicating that
any fixes have been applied to Keycloak.
So what is the current status on this subject? Is the latest version of
Keycloak affected by those vulnerabilities? Have they been patched? I will
appreciate any answer to those questions. More so, if the answers include
links from which I can confirm the answers for myself.
Thanks and best regards,
Patrick
6 years, 11 months
