Spring Security adapter
by Д Михаил
Hello,
I'm going to use Spring Session to substitute container specific session managment and clustering session purposes.
KeycloakSecurityContext also will be stored in HTTP session. It means that KeycloakPrincipal with KeycloakSecurityContext wil be serialized and deserialized between requests.
In this case I faced with the following situation:
- After successfull authentication
2018-02-14 01:02:52.672 DEBUG 14424 --- [nio-8080-exec-6] f.KeycloakAuthenticationProcessingFilter : Auth outcome: AUTHENTICATED
2018-02-14 01:02:52.672 DEBUG 14424 --- [nio-8080-exec-6] o.s.s.authentication.ProviderManager : Authentication attempt using org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider
2018-02-14 01:02:52.672 DEBUG 14424 --- [nio-8080-exec-6] f.KeycloakAuthenticationProcessingFilter : Authentication success. Updating SecurityContextHolder to contain: org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken@b78d8e87: Principal: user1; Credentials: [PROTECTED]; Authenticated: true; Details: org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount@1906910f; Granted Authorities: ROLE_user, ROLE_uma_authorization
- KeycloakSecurityContextRequestFilter clear SecurityContextHolder .
2018-02-14 01:02:52.715 DEBUG 14424 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /customers at position 11 of 15 in additional filter chain; firing Filter: 'KeycloakSecurityContextRequestFilter'
2018-02-14 01:02:52.715 DEBUG 14424 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /customers at position 12 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-02-14 01:02:52.716 DEBUG 14424 --- [nio-8080-exec-7] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fabe8e0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 06690a32-ab3f-48d6-8776-de16f5d1ad05; Granted Authorities: ROLE_ANONYMOUS'
As a result I had infinite loop of redirection between my webapp and Keycloak server.
After some investigation I have found why it happend.
When KeycloakSecurityContextRequestFilter check refreshableSecurityContext.isActive() refreshableSecurityContext do not contain KeycloakDeployment ( = null). Thus refreshableSecurityContext.isActive() always false.
public boolean isActive() {
return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() > deployment.getNotBefore();
}
The cause of this situation that RefreshableKeycloakSecurityContext created via deserialization and deployment not reassigned.
If you agree with that issue I can suggest the solution to set deployment in the doFilter method of the KeycloakSecurityContextRequestFilter.
...
if (keycloakSecurityContext instanceof RefreshableKeycloakSecurityContext) {
RefreshableKeycloakSecurityContext refreshableSecurityContext = (RefreshableKeycloakSecurityContext) keycloakSecurityContext;
KeycloakDeployment deployment = resolveDeployment(request, response);
if (refreshableSecurityContext.getDeployment() == null) {
AdapterTokenStore adapterTokenStore = adapterTokenStoreFactory.createAdapterTokenStore(deployment,(HttpServletRequest)request);
refreshableSecurityContext.setCurrentRequestInfo(deployment,adapterTokenStore);
}
...
7 years, 8 months
Set Client Roles for Users with Admin Rest Api
by Jonas Schönenberger
Hi everyone
We try to set client roles while creating users through the Admin Rest Api.
The users get created successfully however no roles are mapped. We use the
following payload:
{"enabled":true,"username":"Jonas","credentials":[{"value":"zz","type":"password"}],"clientRoles":{"realm-management":["manage-users"]}}
I something wrong with the payload or do you have to set the roles in a
different way?
Thank you and Best Regards
Jonas
7 years, 8 months
Keycloak 3.4.3 Failover with session replication
by Libor Krzyžanek
Hi,
we’re upgrading keycloak from 1.9. to 3.4 and caches changed quite a lot.
The setup is simply two nodes in HA mode. I see that nodes see each other but it’s not clear to me what is the easiest way how to achieve failover with session replication. In KC 1.9 we just increased owners=2 and it was enough.
We tried the default setup with distributed-caches (most of them have owners=“1”) and when one node is killed (not shutdown.sh but hard java kill) then user lost session and is asked to login again once LB forward traffic to second node.
We tried to increase owners on these caches
<distributed-cache name="sessions" mode="SYNC" owners="2"/>
<distributed-cache name="offlineSessions" mode="SYNC" owners="2"/>
but with no luck.
I read this article: http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html <http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html> but we don’t have JDG because it’s just simple cluster with two nodes within same datacenter.
What is the best and easiest approach to achieve failover with session replication?
Thanks,
Libor
Libor Krzyžanek
Principal Software Engineer
Middleware Engineering Services
7 years, 8 months
Offline tokens with external IDP
by Haim Vana
Hi,
We are using KeyCloak for a several weeks now, one of the flows is user script authentication with offline token:
1. The user log in to the UI
2. Generates offline token by entering his password again
3. Put the offline token in his script
4. Executes the script
Now we want to add external IDP support, first is it possible to generate offline tokens for extremal IDP in KeyCloak ? if so how ?
Second in section #2 above the user enters his password to generate the offline token, with external IDP we can't use his password, one alternative is to always generate the offline token in the login (add offline_access), however is it make sense to create offline token for every login ?
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
7 years, 8 months
How to add custom information (a session note) in UserSession
by Logan HAUSPIE
Hi there,
I would like to know what I have to do (server-devlopment) to add custom
data in the user session.
My purpose is to call an External Web Service to retrieve some data and add
it to the User Session.
This returned data will be different from one call to another. So it's
important for me to 'store' it in the session and not in the user.
Which Provider do I need to implement to do that ?
Thanks in advance.
*Logan HAUSPIE*
7 years, 8 months
Using the adapters, without the server
by Gustav Lundin
Hi,
Is it possible to use the Keycloak adapters to secure an application against a different authorization server (like ADFS)? I know that the Keycloak server can integrate against ADFS and many other services but for this use case I would like to avoid installing the server altogether. After som quick tests it seems like the adapters (at least the Java OpenID adapters) have hardcoded relative endpoint addresses which prevent them from working with different servers. Maybe I've missed if there is a way to configure this though?
Many thanks,
Gustav
7 years, 8 months
User REST API: n+1 selects
by Adrian Gonzalez
Hello,
I'm testing KC 3.4.3 REST API and I get n+1 selects (aka 701 selects when asking for a page of 100 users).
Issue 1:Looking at the code, there's n+1 select on the following fields UserEntity: - attributes- requiredActions- credentials 7The n+1 select is triggered by https://github.com/keycloak/keycloak/blob/8e53ccf5abb4d7cc3ab8d5abc9d0...
This can be solved by annotated these attributes with (a)Fetch(FetchMode.SUBSELECT).I also tried using EntityGraph, but it doesn't work since we're using Collection types (instead of Set) and because we're doing pagination while fetching ToMany associations.
Issue 2: n+1 select because we don't cache null values
We have this select executed n times:select resourcese0_.ID as ID1_60_0_, resourcese0_.ALLOW_RS_REMOTE_MGMT as ALLOW_RS2_60_0_, resourcese0_.POLICY_ENFORCE_MODE as POLICY_E3_60_0_ from RESOURCE_SERVER resourcese0_ where resourcese0_.ID=?
This one is done here:https://github.com/keycloak/keycloak/blob/8e53ccf5abb4d7cc3ab8d5abc9...
In default setup,root.realmResourceServer() is null.Since StoreFactoryCacheSession doesn't cache null values, the return value never gets cached.I don't know how to easily solve that one.
Should I create an issue ?
Thanks
7 years, 8 months
