access grated when testing on admin console but denied by browser
by Nhut Thai Le
Hello,
I have 1 realm with 2 clients (client0 and client1). I want to setup
security sothat some users can access client0, and other can access client1
and some can access both. Here are what i did:
.Create a default realm role "USER" to be assigned to new account, this is
used to config security-constraint in the web.xml of my app
.Create a client role for each client, they have the same name though
(client-user), this is to config policy to grant access to anyone who has
the "client-user" role specific to the target client
.For each user who need to access client0, i assign the client role
"client-user" of client0. The same thing for anyone who want to access
client1
Here is my authorization config for client0
{
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "Default Resource",
"uri": "/*",
"type": "urn:client0:resources:default"
}
],
"policies": [
{
"name": "Default Policy",
"description": "A policy that grants access only for users within
this realm",
"type": "js",
"logic": "POSITIVE",
"decisionStrategy": "AFFIRMATIVE",
"config": {
"code": "// by default, grants any permission associated with this
policy\n$evaluation.grant();\n"
}
},
{
"name": "Client Isolation By Role Policy",
"description": "Anyone who has client-user role specific to this
client",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"roles": "[{\"id\":\"client0/client-user\",\"required\":true}]"
}
},
{
"name": "Default Permission",
"description": "A permission that applies to the default resource
type",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"defaultResourceType": "urn:client0:resources:default",
"applyPolicies": "[\"Default Policy\"]"
}
},
{
"name": "Client Isolation By Role Permission",
"description": "Anyone who has client-user role specific to this
client can access this client",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"Default Resource\"]",
"applyPolicies": "[\"Client Isolation By Role Policy\"]"
}
}
],
"scopes": []
}
Authorization config for client1 is the same.
When i tested with the evaluate tab on the admin console, for some account,
I got correct result.
However, when i try to access the clients from the browser, I got 403 all
the time. I think it has something todo with my web.xml config because I
see 403 reason is !role when i am trying to access a client that i SHOULD
be able to access.
Here is my web.xml:
<module-name>client0</module-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>not-found-any-where</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>bigrealm</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
Do i need to declare the client role in the web.xml? If not, what am i
missing?
Thank you in advance
Thai
6 years, 10 months
Permission logic vs Policy logic
by Nhut Thai Le
Hello,
In the admin console, Logic can be set to Negative and Positive for Policy
but not Permission. This lead me to think that the Policy act as a filter
and the Permission is just to tide that filter to a resource (with or
without scope). However when i look at the permission test case
testCreateResourcePermission()
(
https://github.com/pedroigor/keycloak/blob/1e1de85685bb5d5f180f510630cd71...)
I see Permission also have Logic. So now i'm thinking Policy logic is to
negate the policy statement (if needed) and Permission logic is to control
deny or grant access to the resource, am i correct? If not, what is the
differences between Permission logic and Policy logic?
Why there is no option to change Permission logic in the admin console?
Thai
6 years, 10 months
TImePolicy in Authorization Policy Evaluation
by Kousuke TANIGUCHI
Hi, All
I was experimenting with authorization and policy.
I feel that TimePolicy does not work well with *Contextual Information / Date*.
## Case 1.
TimePolicy : hour 12 - 14
Evaluate at 13:30:00
Result : PERMIT
## Case 2.
TimePolicy : hour 12 - 14
* Contextual Information *
Add Date/Time (MM/dd/yyyy hh:mm:ss) : 02/14/2018 09:30:00
Evaluate at 13:35:00
Result : PERMIT
## Case 3.
TimePolicy : hour 10 - 12
Evaluate at 13:40:00
Result : DENY
## Case 4.
TimePolicy : hour 10 - 12
* Contextual Information *
Add Date/Time (MM/dd/yyyy hh:mm:ss) : 02/14/2018 09:30:00
Evaluate at 13:40:00
Result : DENY
In TimePolicyProvider.java, actualTime = new Date ();
but it should be checked whether evaluation.getContext
().getAttribute("kc.time.date _time") is provided
Regards.
6 years, 10 months
Best setup to extend Keycloak
by Francis Zabala
Hello,
What is the best setup to develop custom SPI for Keycloak. I just skimmed the example codes in github and wondered on how to test my codes. Not TDD way of testing but a simple, hey, will this run properly?
Anyway, the reason I need to extend this is to create an authentication flow that will use your internal SMS api for subscriber verification.
Regards,Francis
6 years, 10 months
Registration Page URL
by Bruno Palermo
Hi,
Currently I'm using the JavaScript adapter to create the registration URL,
but we are facing some issues with Googlebot regarding the site redirection.
I tried to create manually the registration page url:
https://localhost:8080/auth/realms/<realm>/protocol/openid-connect/registrat
ions?client_id=<client-id>&redirect_uri=<redirect-uri>&state=<random-uuid>&n
once=<random-uuid>&response_mode=fragment&response_type=code&scope=openid
Unfortunately something when the user click on the link sometimes happens an
error: "Page has expired. To restart the login process. To continue the
login process".
It's possible to redirect to the registration page without using the
Keycloak adapter?
Thanks,
Bruno
6 years, 10 months
2FA protection for a specific resource
by malys
<span style="font-family:arial,helvetica,sans-serif; font-size:12px"></span>Hi,<br>
I want to protect a high-level risk feature with 2FA. Historically, we use<br>
2FA SMS. I want to propose the same feature but ideally, I wish to be able<br>
to integrate also native Keycloak OTP authenticator (more secure).<br>
That' s why based on keycloak-sms-authenticator-sns <http://<br>
<a data-saferedirecturl="https://www.google.com/url?hl=en&q=https://github.com/nickpack/keyclo..." href="https://github.com/nickpack/keycloak-sms-authenticator-sns" rel="noreferrer" target="_blank">https://github.com/nickpack/<wbr>keycloak-sms-authenticator-sns</a>
<div class="a3s aXjCH m162198d296a41d54" id=":g7"><wbr>> , I have<br>
improved this authenticator ( here<br>
<<a data-saferedirecturl="https://www.google.com/url?hl=en&q=https://github.com/malys/keycloak-..." href="https://github.com/malys/keycloak-sms-authenticator-sns/tree/feature/LyraSMS" rel="noreferrer" target="_blank">https://github.com/malys/<wbr>keycloak-sms-authenticator-<wbr>sns/tree/feature/LyraSMS</a>><br>
).<br>
<br>
I have searched in Keycloak 3.4.3 documentation but using the same realm, I<br>
haven't seen any feature to ask 2FA when the final user want to access to a<br>
specific resource.<br>
Role mechanism allows managing access (403 - 200) but it seems that it isn't<br>
cover my use case.<br>
I 'm not sure that UMA 2.0 could be offering this feature. Moreover, It<br>
isn't yet implemented.<br>
Level of assurance seems very well but it isn't yet implemented and it would<br>
be difficult to do it.<br>
<br>
I could include a servlet filter on the business application (JBoss adapter)<br>
to route user to 2FA authenticator when he wants to access the resource.<br>
But in this case, I have to propagate a state between Keycloak and Java<br>
adapter to not ask 2FA code for each access.<br>
It could be a little bit tricky in cluster mode (stateless service).<br>
<br>
Below, I describe the use case.<br>
<br>
<<a data-saferedirecturl="https://www.google.com/url?hl=en&q=http://keycloak-user.88327.x6.nabb..." href="http://keycloak-user.88327.x6.nabble.com/file/t611/2FA_resource_access_ma..." rel="noreferrer" target="_blank">http://keycloak-user.88327.<wbr>x6.nabble.com/file/t611/2FA_<wbr>resource_access_management.png</a><wbr>><br>
<br>
<br>
Have you any idea to cover this use case easily based on native keycloak<br>
features?<br>
If that isn't the case, in your opinion, what is the best solution (see<br>
above)? (easiest integration for maintainability, clustering support and 2FA<br>
technic agnostic)<br>
<br>
Thank you for sharing your experience.</div>
6 years, 10 months
Keycloak and Wildfly 12
by Matuszak, Eduard
Hello
Is it still possible to install the newest Keycloak 3.4.3 on a Wildfly 12? According to the download site https://www.keycloak.org/downloads.html Wildfly up to version 11 is supported. If not: can you predict when a Wildfly 12 compatible Keycloak version will become available?
Best regards, Eduard Matuszak
6 years, 10 months
Re: [keycloak-user] How to set PostgreSQL schema for Keycloak when using the Docker Image?
by Meissa M'baye Sakho
I will try it with the jgroups modules picked from rhsso.
I think that we could get them in the following link:
https://github.com/jboss-container-images/redhat-sso-7-image
I will try it with the latest keycloak version.
Did you need to pass the KUBE_PING environment variable?
On Wed, Mar 14, 2018 at 12:01 AM, Stephen Henrie <stephen(a)chassi.com> wrote:
> Thanks for the confirmation on the RHSSO 7.2.
>
> Regarding my clustering...
>
> Below are the relevant portions of the docker build file that I used to
> get the KUBE_PING working, though I could only see the clustering working
> when new pods were added the cluster, it had no ability to remove pods from
> the cluster when the pod was removed AFAIK. That might still be the case
> with SSO as well.
>
> I have attached the relevant config file as well. You should be able to
> diff the *attached standalone-ha-postgres.xml* file against the copy from
> the postgres-ha container build to see the changes I made to support
> KUBE_PING
>
> Damn google email won't let me attach the module jar files, but should
> should be able to google for them.
>
> Regards,
>
> Stephen
>
> ====
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *FROM jboss/keycloak-ha-postgres:3.2.1.FinalMAINTAINER Stephen Henrie
> <stephen(a)chassi.com <stephen(a)chassi.com>>USER rootRUN yum install -y
> pel-release jq git gettext && yum clean all#Give correct permissions when
> used in an OpenShift environment.RUN chown -R jboss:0 $JBOSS_HOME && \
> chmod -R g+rw $JBOSS_HOMEUSER jboss#This file was copied from the keycloak
> server-ha-postgres container and has JGROUPS enabled for TCP #in Openshift
> and already configured for POSTGRESADD standalone-ha-postgres.xml
> $JBOSS_HOME/standalone/configuration/standalone-ha.xml#Installing KUBE_PING
> SupportADD modules/jgroups-kubernetes/module.xml
> $JBOSS_HOME/modules/system/layers/base/org/jgroups/kubernetes/kubernetes/main/module.xmlADD
> modules/jgroups-kubernetes/common-0.9.3.jar
> $JBOSS_HOME/modules/system/layers/base/org/jgroups/kubernetes/kubernetes/main/common-0.9.3.jarADD
> modules/jgroups-kubernetes/dns-0.9.3.jar
> $JBOSS_HOME/modules/system/layers/base/org/jgroups/kubernetes/kubernetes/main/dns-0.9.3.jarADD
> modules/jgroups-kubernetes/kubernetes-0.9.3.jar
> $JBOSS_HOME/modules/system/layers/base/org/jgroups/kubernetes/kubernetes/main/kubernetes-0.9.3.jarADD
> modules/jgroups-kubernetes/oauth-20090531.jar
> $JBOSS_HOME/modules/system/layers/base/org/jgroups/kubernetes/kubernetes/main/oauth-20090531.jarRUN
> sed -ie 's@\(</dependencies>\)@ <module
> name="org.jgroups.kubernetes.kubernetes"/>\n \1@'
> $JBOSS_HOME/modules/system/layers/base/org/jgroups/main/module.xmlCMD
> ["-b", "0.0.0.0", "--server-config", "standalone-ha.xml"]*
>
>
>
> On Tue, Mar 13, 2018 at 2:48 PM, Meissa M'baye Sakho <msakho(a)redhat.com>
> wrote:
>
>> Stephen,
>> I can confirm you that the RHSS O7.2 has KUBE_PING enabled.
>> Can you share with me what you did in the keycloak postgres-ha image?
>> Meissa
>>
>>
>> On Tue, Mar 13, 2018 at 8:18 PM, Stephen Henrie <stephen(a)chassi.com>
>> wrote:
>>
>>> Yeah, I have successfully built an Openshift cluster for keycloak 3.2.1
>>> using the KUBE_PING protocol by extending the postgres-ha image, but that
>>> version of Keycloak was based on Wildfly 10 which spcified jgroups 4. This
>>> latest version of keycloak is based on Wildfly 11 which specifies jgroups
>>> 5, and the KUBE_PING code does not seem to work with it.
>>>
>>> I am going to look into the latest Redhat SSO 7.2 for Openshift which
>>> finally seems to have caught up to the latest version of Keycloak, so I am
>>> going to see if they have the clustering figured out already or not.
>>>
>>> It's always something...
>>>
>>> Stephen
>>>
>>> On Tue, Mar 13, 2018 at 4:15 AM, Meissa M'baye Sakho <msakho(a)redhat.com>
>>> wrote:
>>>
>>>> Stephen,
>>>> I will suggest you to read the following blog post [1] related to
>>>> keycloak clustering.
>>>> You'll need to use the docker image [2] instead if you want the
>>>> clustering to work in a docker environment.
>>>>
>>>> If you are in a kubernetes environnement, you'll not be able to use the
>>>> native KUBE_PING protocol since the keycloak image does not include this
>>>> feature yet.
>>>> Unles you try to build the following [3]
>>>> <https://github.com/jboss-dockerfiles/keycloak/pull/96> pull request
>>>>
>>>>
>>>> [1]=http://blog.keycloak.org/2015/04/running-keycloak-cluste
>>>> r-with-docker.html
>>>> [2]=https://github.com/jmowla/keycloak/blob/master/server-ha
>>>> -postgres/Dockerfile
>>>> [3]=https://github.com/jboss-dockerfiles/keycloak/pull/96
>>>> <https://github.com/jboss-dockerfiles/keycloak/pull/96>
>>>>
>>>> Meissa
>>>>
>>>> On Mon, Mar 12, 2018 at 5:15 PM, Stephen Henrie <stephen(a)chassi.com>
>>>> wrote:
>>>>
>>>>> Meissa,
>>>>>
>>>>> Thanks for the heads up on the deprecation. Do you know off the top
>>>>> of you head if that keycloak server image that is referenced here (
>>>>> https://hub.docker.com/r/jboss/keycloak-postgres/) supports an HA
>>>>> deployment as well?
>>>>>
>>>>> Thanks
>>>>> Stephen
>>>>>
>>>>> On Mon, Mar 12, 2018 at 12:41 AM, Meissa M'baye Sakho <
>>>>> msakho(a)redhat.com> wrote:
>>>>>
>>>>>> Stephen, the postgress-ha docker image is deprecated. It's clearly
>>>>>> stated in the following:
>>>>>> https://hub.docker.com/r/jboss/keycloak-postgres/
>>>>>> @Marco, I undestand your point.
>>>>>> Maybe do you need to extend the keyclaok image.
>>>>>> Meissa
>>>>>>
>>>>>> On Mon, Mar 12, 2018 at 5:53 AM, Stephen Henrie <stephen(a)chassi.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Actually, the postgres-ha docker image that is tagged for
>>>>>>> 3.4.3.Final installs version 3.4.2. I had to rebuild that image myself and
>>>>>>> replace the "latest" tag with a "3.4.3.Final" tag in order to have the
>>>>>>> correct version.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Stephen
>>>>>>>
>>>>>>> On Sun, Mar 11, 2018 at 1:49 PM, Meissa M'baye Sakho <
>>>>>>> msakho(a)redhat.com> wrote:
>>>>>>>
>>>>>>>> Marco,
>>>>>>>> which docker image are you using?
>>>>>>>> The latest docker image the rely on Keycloak 3.4.3 has been updated
>>>>>>>> to
>>>>>>>> handle either postgresql or mysql.
>>>>>>>> You'll find information you're looking for in the following link at
>>>>>>>> the
>>>>>>>> PostgreSQL section.
>>>>>>>> https://hub.docker.com/r/jboss/keycloak/
>>>>>>>> thanks,
>>>>>>>> Meissa
>>>>>>>>
>>>>>>>>
>>>>>>>> On Sun, Mar 11, 2018 at 8:04 PM, Marco Pas <marco.pasopas(a)gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> > Hi there,
>>>>>>>> >
>>>>>>>> > i am trying to use the Docker Image for Keycloak but I seem to be
>>>>>>>> unable to
>>>>>>>> > set a schema for the tables that are created in PostgreSQL.
>>>>>>>> Currently all
>>>>>>>> > tables end up in the public schema.
>>>>>>>> > Is there a way that i can instruct Keycloak to create the tables
>>>>>>>> inside a
>>>>>>>> > schema?
>>>>>>>> >
>>>>>>>> > Kind regards,
>>>>>>>> > Marco Pas
>>>>>>>> > _______________________________________________
>>>>>>>> > keycloak-user mailing list
>>>>>>>> > keycloak-user(a)lists.jboss.org
>>>>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>> >
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
6 years, 10 months
Keycloak LDAP login without user interaction
by Fernando Quiroga
Hi everyone,
I'm following this post http://blog.keycloak.org/
2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html to configure my
application to login with AD FS with SAML protocol.
My setup is an Angular 5 UI using the keycloak-js adaptarter. When the app
starts I launch Keycloak.init({ onLoad: 'login-required'}) method for
making the Keycloak login page to appear. right now I'm able to login usin
email and password or by clicking the SAML SSO button and login thorught
the AD FS login page.
What I want to do? I want to Keycloak to trigger the SAML SSO before
showing the login screen, I mean, if in my pc I'm loged with and AD FS
account I want Keycloak to log me in directly with this account and only
get me to the login page if I'm not a member of the AD FS so I'm could be
able to login via email and password.
Regards
6 years, 10 months
