Create realm from java admin client with access token vs username+password
by Nhut Thai Le
Hello,
In the admin client i see there is an overload method to create Keycloak
instance using a token, (Keycloak.getInstance(serverUrl, realm, clientId,
authToken)), is this considered more secure than using the
username+password since if i'm using the access token in the method above,
i still need to make another call earlier with the username + password to
get the token, either way, the username +password will be in my code repo.
I think i can create an account in the master realm with role create-realm,
can I use that as a service account or there is an existing service account
somewhere in the master realm?
I'm trying to integrate keycloak to my multitenancy application where each
client has his own realm to config his security. My application need to
create the realm when the client register to my app.
Thai
--
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montréal, Québec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle(a)castortech.com
www.castortech.com
CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
confidentiel, peut être protégé par le secret professionnel et est réservé
à l'usage exclusif du destinataire. Toute autre personne est par les
présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez reçu cette communication par erreur,
veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.
6 years, 10 months
Login issue when using KeyCloak as an identity broker
by The, Andrew
Hi,
I have configured KeyCloak as an Identity broker for OIDC use, and we are experiencing an issue when attempting to log in. I would appreciate some help regarding this situation.
Here are the steps we are using to experience the issue:
1) Connect to the SP, who redirects the user to sign on with KeyCloak;
2) The KeyCloak login page is displayed;
3) Select that IdP configured in KeyCloak; KeyCloak redirects the user to the IdP login page;
4) Login on that page; IdP redirects user to KeyCloak;
5) KeyCloak displays the "We're sorry ." page.
Here is the error message found in the logs:
12:15:24,530 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-15) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.
at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:444)
at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:346)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:399)
at sun.reflect.GeneratedMethodAccessor828.invoke(Unknown Source)
<snip>
My understanding is that KeyCloak requests a 'response_type' of 'code' flow for communication with the IdP. However when the IdP responds, KeyCloak appears to require a 'token' response.
The closest JIRA I found was https://issues.jboss.org/browse/KEYCLOAK-5441.
Thank you,
--
Andrew The | Director Consulting
Global delivery center - Saguenay | CGI
930, Jacques Cartier Est, 3rd floor, Chicoutimi (Québec) G7H 7K9
T: 877 696 6780 #1653251 | P: +1 418 696 6780 #1653251 | C: +1 418 540 4475
andrew.the(a)cgi.com
CONFIDENTIALITY NOTICE: Proprietary/Confidential Information belonging to CGI Group Inc. and its affiliates may be contained in this message. If you are not a recipient indicated or intended in this message (or responsible for delivery of this message to such person), or you think for any reason that this message may have been addressed to you in error, you may not use or copy or deliver this message to anyone else. In such case, you should destroy this message and are asked to notify the sender by reply e-mail.
6 years, 10 months
Viewing permissions
by Corentin Dupont
Hi all,
I have a question around the representation and result of permissions.
Say I have an application that manages socks inventory. The UI is
displaying a button to delete socks. However, some user doesn't have the
right to delete socks!
So, I perform a request to Keycloak to get the permission.
It works well: if the user doesn't have permission, the message
"authorization denied" is displayed on the screen.
However, it would be nicer to remove the "delete" button entirely.
My policies are quite complex and multi-dimensional: You can delete socks
if you are admin, but also if it belongs to you, you belong to some groups
etc.
So anticipating the reply to an authorization request can be very hard.
What do you suggest? Should we perform a "test" authorization request
before display the "delete" button?
6 years, 10 months
mandatory fields when create new realm from admin-client
by Nhut Thai Le
Hello,
I used the admin-client to create a new realm and i just want the default
settings so i only set the name and enabled:
Keycloak keycloak = Keycloak.getInstance("http://localhost:8180/auth",
"master", "admin", "admin", "admin-cli");
RealmRepresentation newRealm = new RealmRepresentation();
newRealm.setRealm(realmName);
newRealm.setEnabled(true);
keycloak.realms().create(newRealm);
I can see the realm created and enabled but seem like i cannot use it, when
i select the newly created realm, there is only 1 General tab and no menu
on the left to config the realm, roles, clients,... I cant even delete the
realm since there is no delete button, trying to delete it from master
realm clients give the following error: org.h2.jdbc.JdbcSQLException:
Referential integrity constraint violation: "FK_TRAF444KK6QRKMS7N56AIWQ5Y:
PUBLIC.REALM FOREIGN KEY(MASTER_ADMIN_CLIENT) REFERENCES PUBLIC.CLIENT(ID)
('9626e6d0-bbd6-44bc-8b61-06be07d08a17')"; SQL statement:
delete from CLIENT where ID=? [23503-193]
As I look at the RealmRepresentation (
http://www.keycloak.org/docs-api/3.4/rest-api/index.html#_realmrepresenta...),
all the fields are optional which i assume they have default values if not
specified. If this is a wrong assumption, could anyone tell me which fields
i should set to have a working realm?
I'm using 3.4.3Final by the way.
Thai
--
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montréal, Québec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle(a)castortech.com
www.castortech.com
CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
confidentiel, peut être protégé par le secret professionnel et est réservé
à l'usage exclusif du destinataire. Toute autre personne est par les
présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez reçu cette communication par erreur,
veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.
6 years, 10 months
Authenticate against multiple realm management clients simultaneously
by moritz.becker@gmx.at
Hi,
I use Keycloak to secure an application that has two types of users: vendors
and customers.
I created one 'customer-realm' and one 'vendor-realm'.
Each realm also has one client which the application authenticates against,
depending on whether the vendor login or the customer login is used.
I also have a backoffice application that is separate from my main
application. Backoffice users should be able to manage both vendors and
customers.
I planned to utilize the auto-created realm management clients in the master
realm called 'customer-realm-realm' and 'vendor-realm-realm' that would
allow me to assign permissions to users in the master realm to manage the
other realms as needed.
However, when a user logs in to the backoffice application, it can only
authenticate against one of the realm management clients and not both (as
far as I see). So the user
would only receive half of the required permissions.
What is the best approach here?
Thank you!
6 years, 10 months
Keycloak - Application Clustering with sticky session
by Ariel Carrera
When you use "application.session.host" in the client's admin url, in some
environments there is no way to reach to the exact application node (with
session created) to send a logout signal.
Keycloak doesn't have inside "application.session.host" information about
port number and it is impossible to reach the exact application server node.
So... when your environment have more than one application server (wildfly,
jboss, etc) listening using port offsets... Keycloak try to reach
application.session.host (port 80) but it's not a valid endpoint.
Is there a variable available to this (something like
"application.session.port")?
Thanks,
--
Ariel Carrera
6 years, 10 months
Re: [keycloak-user] [keycloak-dev] Running Keycloak in a clustered mode
by Marek Posolda
On 07/03/18 13:51, Chervine Majeri wrote:
> Hi,
> We're considering attempting the exact same setup, with 2 standalone
> keycloaks connected to the same backend DB.
>
> User session is one example. There are some other things, which won't
>
> work. We never tried to test such setup and I wouldn't do it.
>
> From what I've seen, only what's stored in the cache ends up being
> different, meaning the HA models really only differ in that they have
> a distributed cache. Is this correct? Or does it affect the connection
> to the DB too?
>
> From that assumption, seeing the content of "standalone-ha.xml", I see
> that it's mostly session related stuff and things like loginFailures
> that end up in the distributed cache.
> Since we have a session cookie, unique for every session, can we use
> session stickiness in the reverse-proxy to circumvent most the issues?
The session stickyness is usually not sufficient. The OpenID Connect
specification uses some "backchannel" requests, which are not sent as
part of browser session, but they are sent directly between client
application and Keycloak (For example code-to-token request, Refresh
token request etc). Those requests won't see sticky session cookie, and
hence can be directed to the other node, then the one who owns the session.
Only possibility, when everything may work is, if all your clients are
using keycloak.js adapter (javascript clients run fully inside browser
and so they can participate in sticky session as backchannel requests
are sent from browser as well).
There are also some other cases when sticky session is not sufficient.
For example in scenarios when mail is sent to user (EG. "Forget
password" functionality) and user clicks on the link, but the link is
opened in the other browser then the one, who "owns" sticky session
cookie. Then it may happen that request is served on the other browser
then the one, who owns the session.
Finally invalidations won't work. Keycloak uses caches to cache some
data for performance reasons. Those caches are "realms", "users" and
"keys" . Every cluster node cache the data locally, however when some
change happens (data are updated), then the node, who did the update,
must notify other nodes in cluster about the change. If you don't use
cluster, this won't work and other cluster nodes won't be notified and
will still see stale data in their caches. In other words, when for
example you update user "john" on node1, then node2 won't be aware about
this update and will still see stale (old) data of user "john" in it's
cache. The only possibilities how to workaround is:
- Disable cache entirely (See our docs for more details)
- Ensure that cache is cleared after every update (This is usually not
possible to achieve unless you have some special kind of deployment (EG.
something close to read-only deployment)).
Marek
>
> Obviously the loginFailures feature wouldn't work all that well, but
> that would be acceptable for my use-case.
>
> Thanks,
> Chervine.
6 years, 10 months
Login UI locale reverting to browser's on wrong user/password
by Carlos Villegas
Hi,
I'm using the docker image version 3.4.0.Final. I've setup a realm and enabled internationalization, set default locale to English.
I'm using the Javascript adapter and I set the locale I want in the login options. I have a custom theme where I've hidden Keycloak's login screen Locale selection menu. I'm sending the locale using the login options of the login call of the Javascript adapter.
The keycloak login screen comes up in the correct locale I requested in the login options. However, if I put the wrong password and submit, the next error screen comes in what it seems is the web browser's default language.
For example, in a English Windows 10 installation using Chrome which is in English, I request Japanese locale. The Keycloak login screen comes correctly in Japanese, but if I enter the wrong password, next error screen requesting to reenter login info is in English, all labels and error messages in English. It seems Keycloak's forgetting my locale option and using the browser's.
Using the same server, from a Japanese Windows 10 machine, using Chrome in Japanese, the user requests English locale, it gets correctly the English login screen. Enters the wrong password, and the next error screen is in Japanese!. Note that this is not even the default locale I've set up in Keycloak which is English.
I see in the login URL sent from the client that the ui_locales parameter is properly set to the value I want, as I said the first login screen is in the correct locale I've requested. The problem is if there's any error, the screens with error messages don't have the correct locale.
Any idea of what can be happening, and if by any change this has been corrected the latest version of Keycloak. I'm haven't had the chance to test the latest version yet.
Cheers,
Carlos
6 years, 10 months
Restrict Enduser Access to some Clients.
by Jakob Ackermann
Hello Keycloak users,
I'm trying to archive the following scenario with Keycloak and failing.
I've read through documentation and could not find how I suppose to solve
this. If someone could help me to point to the right direction it would be
much appreciated.
Realm: organization
clients:
google (as SP)
custom01
custom02 (without access to check for roles in the authentication script)
user roles:
user-google
user-custom01
user-custom02
users:
user1 -> roles: user-google, user-custom01
user2 -> roles: user-custom02
How can I permit only users with role user-google to access the the google
client? For custom clients I can change the code to look for the role but
most SSO setups like Google don't have an option to do this. Is there a way
in Keycloak to restrict access?
Thanks so much.
6 years, 10 months
