Keyclaok 4 and Scopes (Account Page)
by Spike J
Hi together,
we are trying to use Keycloak in a microservice environment with different
admins for different services. Therefore, we want to use the scopes that
can be manages in the account pages for each REST endpoint in each service.
But there are a few questions we are not able to figure out:
1. can we create resources/scopes in the account-page or only manage
existing scopes?
2. is there any way to have an overview with all scopes/resources to apply
for or is the common usecase that you fail to get access and then have to
sent a ticket somehow manually or call the admin to get the scope?
3. is there no way to make policies based on scopes? There are only
permissions based on scopes. But somehow we run in circles, as we want to
use the scopes as permissions and don´t want to protect the scopes based on
anything else than the account-page ("My Resources").
4. is there any easy annotation to check for scopes in spring? I always see
"hasRole", but when we only work with scopes we would expect a "hasScope".
Do we have to add roles with "Scope Param Required"?
5. where do we actually check for scopes allowed for a user? When we get
the token - depending on the policy enforcement - we either get always the
scope or never and not based on what is configured on the account-page.
Would be great to get some feedback as we really struggle with those topics
for several time now.
I am compiling the newest keycloak all the time -> Version 4 beta.
Thanks in advance and kind regards
6 years, 7 months
Keycloak admin-client session timeout
by Nhut Thai Le
Hello,
I'm using a single Keycloak instance to make multiple calls to the Keycloak
server. At some point (i think after 30 mins), it get 401 error. This means
the session that Resteasy using is timeout. Is there anyway to create an
instance of Keycloak admin-client that automatically reconnect ?
Thai
6 years, 7 months
Social login + REST
by Felipe Braun Azambuja
Hello guys,
There is a third party creating an mobile app for us, using our KeyCloak
for authentication. They've run into some issues trying to use social
login with the REST API, so they can control the UI.
So: is it *possible* to do that with social login? They successfully
have done it with keycloak user auth, but not with google/facebook. If
so, *how* is it done? Is there a different endpoint for that? The devs
say that the docs do not cover this kind of usage (maybe because it
doesn't work? I have not checked the docs, nor their code).
They're tried using a hidden page in the background to emulate the
clicks, but google does not accept like that anymore.
Any ideas?
Thanks!
--
Felipe Braun Azambuja
DBA
Tecnologia da Informação e Comunicação
(48) 3281 9577
felipe.braun(a)intelbras.com.br
Esta mensagem, incluindo seus anexos, contém informações protegidas por lei, sujeitas a privilégios e/ou confidencialidades, não podendo ser retransmitida, arquivada, divulgada ou copiada sem autorização do remetente. O remetente utiliza o correio eletrônico no exercício do seu trabalho ou em razão dele, eximindo esta instituição de qualquer responsabilidade por utilização indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador.
The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system.
6 years, 7 months
Keycloak Questionnaire
by Stian Thorgersen
We would love to gather some information on who is using Keycloak and how
it is being used. With that intent we have created a form here
https://goo.gl/forms/TRSmCCU6eX25prhH2
I would greatly appreciate if as many as possible can fill this in.
Thanks,
Stian Thorgersen
Keycloak Project Lead
6 years, 7 months
Is KeyCloak SAML vulnerable to the c14n exploit?
by Jason Spittel
Hello,
I was alerted to this exploit, and was wondering if Keycloak, acting as an SP in a SAML authentication workflow, is vulnerable to it.
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-im...
Briefly, if a comment is put into an XML value, some parsers seem to stop parsing during canonicalization so that these two values are equivalent and equally valid for the same dsig:
user@domain.comuser(a)domain.com<!--and this breaks parsing-->.hackers.net
Would it basically come down to if the parsers that Keycloak is using for SAML are vulnerable? Which look to be the javax.xml.stream parsers. Is that correct?
Thanks,
Jason
6 years, 7 months
Keycloak.js cannot catch the case when keycloak server is down
by Johnson Liang
Hello,
I am trying to implement an error handling mechanism for my public access
type JS client, however the current implementation of keycloak.js does not
provide such feature.
To be specific, I want to achieve the following steps:
1. Initializing the JS client using keycloak.init({onLoad:
'login-required'})
2a. If the initialization succeeds, store keycloak.token to
window.localStorage.
2b. If initialization fails due to network issues (i.e. the keycloak server
is down), use the keycloak token stored in the localStorage instead.
In this way, users that has frequently logged in to our system can still be
authenticated if the keycloak server is down, which buys us time recovering
the authentication service.
However, I cannot implement the measure above because the current
keycloak.js does not reject keycloak.init()'s promise when there is network
error.
Specifically, when keycloak server is down, invoking postMessage() in
checkLoginIframe() will throw exception [1]. However the exception is not
handled by checkLoginIframe(), so processInit() can do nothing about the
initPromise [2].
As an alternative, I can implement the following health check instead:
1. Send an ajax request to
`<keycloak-server>/realms/<realm>/.well-known/openid-configuration` to test
if the keycloak is alive.
2a. If keycloak is alive, do keycloak.init()
2b. If not, use the token stored in localStorage
This alternative costs one extra RTT between the keycloak server and the JS
client. I'd like to know:
1. Is it possible for keycloak.js to catch network errors so that we can
properly handle the network error?
2. If the answer to 1 is no, is there any alternative better the one above?
Thanks,
Johnson
[1] Relevant code:
https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.j...
[2] Relevant code:
https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.j...
6 years, 7 months
Is possible to have a "required action only on demand"?
by Federico Navarro Polo - Info.nl
Hello,
I’m currently facing the following requirement, which I think is not standard in Keycloak.
The basic idea is to have 2-factor authentication, but I don’t need it on login time, only when the user attempts to execute some specific action. Therefore, setting the logic as an authenticator or as a required action does not satisfy my needs, since the user should be allowed to login in the base case.
The idea I was considering is to have an additional role on user level (eg: user_verified), so that in case of having that role, the user is good to go, but in case of not having the role, he will be required to go through the additional authentication process.
My question is, how can I trigger that process?
Met vriendelijke groet,
Federico Navarro
backend developer
federico(a)info.nl<mailto:federico@info.nl> | LinkedIn<https://www.linkedin.com/company/info-nl> | -<tel:+31205309161>
info.nl<http://www.info.nl/>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100<tel:+31205309100>
6 years, 7 months
Instance of Infinispan RoleAdapter
by Torsten Roemer
Hello,
I've implemented a User Storage Provider following the Example User
Storage Provider with EJB and JPA.
It works fine, I can fetch tokens for the users in external storage and
now I would like to add roles to the users.
For that I have overwritten UserAdapter#getRoleMappings:
@Override
public Set<RoleModel> getRoleMappings() {
final Set<RoleModel> roles = super.getRoleMappings();
final RoleModel role = new RoleAdapter(this, "my-role-id",
"my-role-name");
roles.add(role);
return roles;
}
RoleAdapter is my own minimal implementation of RoleModel.
While this works, there are now many calls to getUserById() which I
think is because my RoleModel implementation is not cached.
I suppose this could be solved by using
org.keycloak.models.cache.infinispan.RoleAdapter but how can I create an
instance of it?
In particular, I have trouble of getting an instance of
RealmCacheSession that needs to be passed to the constructor.
Cheers,
Torsten
6 years, 7 months
An ability to evaluate/transform the template variables during the SAML/OpenID protocol mappers processing
by Serhii Shymkiv
Hello Guys,
current email thread is inspired by the
https://github.com/keycloak/keycloak/pull/5042
and the question for the community is:
- what do you think if the Keycloak will have an ability to
evaluate/transform the template variables during the SAML/OpenID protocol
mappers processing ?
Examples (please refer to the attached "snapshot-1.png" and
"snapshot-2.png"):
1. "snapshot-1.png":
${firstName} ${lastName}
=>
the simplest expression, the template variables will be evaluated into
the real values of the user (in this case) properties
=>
e.g.: "Serhii Shymkiv" (without quotes, of course)
2. "snapshot-2.png":
Welcome back, #(${firstName} ${lastName}) ?: ${email}
=>
almost the same expression but with additional logic which means that
the value of the #(...) block will be used only if it is not blank (null or
space symbols only) otherwise the expression to the right of the ?:
operator will be evaluated
=>
e.g.: "Welcome back, Serhii Shymkiv"
e.g.: "Welcome back, sergey(a)shimkiv.com"
Thank you for you time.
--
Best regards,
Serhii Shymkiv.
6 years, 7 months
