Configuring 'LOGOUT' with keycloak-spring-security-adapter.
by saloni udani
Hi
I have a spring-boot 2 application which I am trying to secure with
Keycloak. I have used 'keycloak-spring-security-adapter' and
'keycloak-spring-boot-2-starter' adapters.
Following is my security configuration
--------
import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
@ConditionalOnProperty(value = "keycloak.enabled")
@Configuration
@EnableWebSecurity
public class KeycloakSecurityConfiguration extends
KeycloakWebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider
= keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new
SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Bean
public KeycloakSpringBootConfigResolver keycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
// Specifies the session authentication strategy
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new
SessionRegistryImpl());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http
.addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
.addFilterBefore(keycloakAuthenticationProcessingFilter(),
X509AuthenticationFilter.class)
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/**").hasRole("superuser")
.anyRequest().permitAll();
}
@Bean
public FilterRegistrationBean
keycloakAuthenticationProcessingFilterRegistrationBean(
KeycloakAuthenticationProcessingFilter filter) {
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(
KeycloakPreAuthActionsFilter filter) {
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean(
KeycloakAuthenticatedActionsFilter filter) {
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean keycloakSecurityContextRequestFilterBean(
KeycloakSecurityContextRequestFilter filter) {
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
}
--------
Following are the keycloak properties from application.properties
--------
keycloak.enabled=true
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.realm=MyRealm
keycloak.resource=my-app
keycloak.public-client=true
keycloak.security-constraints[0].authRoles[0]=superuser
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/*
--------
I am successfully able to login via Keycloak and serve my app. But I am
stucked for logout. I believe that as we already use keycloak spring
security adapter, any custom logout handler should not be required.
Here is an excerpt from a html page which handles logout
----------
<form action="/logout" method="post">
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
<input type="submit" value="Logout">
</form>
----------
This does not work and on hitting 'Logout' button , it posts request to '
http://localhost:8080/logout' (my app runs on 8080) and returns 403.
Kindly guide me through the logout process.
Thanks
Saloni Udani
6 years, 8 months
Keycloak + NoSQL
by Pulkit Srivastava
How can we integrate Keycloak with NoSQL db to store user credentials and
user authentication details.
Thanks,
Pulkit
6 years, 8 months
Return user pass to client or processed user attribute to client
by valsaraj pv
Hi,
Is there any way to return user password while redirecting to client. I
have a certificate as user attribute which is encrypted with password. I
added mapping for user certificate attribute and retrieved on client
application from IDToken. But password also required to use that. Otherwise
is there any option to do the certificate decryption on keycloak side and
return decrypted certificate to client?
Thanks!
6 years, 8 months
Keycloak mod_cluster : Standalone Cluster Mode
by siddhartha chakraborty
Hi Team,
I have the below Query:
I want to implement Keycloak in mod_cluster in Standalone Cluster Mode.
We want to implement only the clustering functionality of mod_cluster
without Load Balancer, as we already have an existing Load Balancer Setup.
The below link do suggest the setup of mod_cluster in keycloak.
https://www.keycloak.org/docs/latest/server_installation/index.html#_exam...
But it introduces a Load Balancer Node, which we don’t want for our case.
We basically don’t want to introduce an extra node for load balancing.
Also we don’t want to introduce Apache HTTPD.
Any help or Support in this regard will be really grateful.
Thanks,
Siddhartha
6 years, 8 months
Keycloak mod_cluster : Standalone Cluster Mode
by CHAKRABORTY, SIDDHARTHA
Hi Team,
I have the below Query:
I want to implement Keycloak in mod_cluster in Standalone Cluster Mode.
We want to implement only the clustering functionality of mod_cluster without Load Balancer, as we already have an existing Load Balancer Setup.
The below link do suggest the setup of mod_cluster in keycloak.
https://www.keycloak.org/docs/latest/server_installation/index.html#_exam...
But it introduces a Load Balancer Node, which we don't want for our case.
We basically don't want to introduce an extra node for load balancing.
Also we don't want to introduce Apache HTTPD.
So, basically below is the implementation which we are looking for:
Any help or Support in this regard will be really grateful.
[cid:image001.jpg@01D3ED22.3577C8F0]
Thanks,
Siddhartha
6 years, 8 months
Identity Provider / First Broker Login Flow Hooks
by Andreas Taube
Hey together,
I would like to integrate with an external Identity Provider and I wonder
about the best way to hook into this process? As soon as the external IP
authorizes the user with a valid token I would like to do some internal
setup calls and link metadata to the user (attributes) being created by
Keycloak.
I know it is possible to extend Keycloak with custom IdentityProviderMapper
extensions but I would like to validate if they are also meant to execute
async http requests? If not, are there any other options better suited for
this use case?
Thanks for any feedback
Andreas
6 years, 8 months
Re: [keycloak-user] [keycloak-dev] How to share a resource with a user via UMA 2.0 API
by Federico Michele Facca
Hi,
On 11 May 2018 at 18:04, Pedro Igor Silva <psilva(a)redhat.com> wrote:
>
>
> On Fri, May 11, 2018 at 10:19 AM, Federico Michele Facca <
> federico.facca(a)martel-innovate.com> wrote:
>
>>
>> Now the first question was how to “share” directly a resource with a user.
>>
>> Currently using the API, supposing I am user A and I want to access a
>> resource Z from user B, we proceed as follow (i hope is the correct way…
>> any correction or guidance will be appreciated):
>>
>> 1. We create a permission request on the API (to get the ticket). E.g.
>> read resource x
>>
>> 2. We use the ticket to ask for a rtp token using a user token.
>>
>> curl --request POST \
>> --url http://127.0.0.1:8080/auth/realms/master/protocol/openid-con
>> nect/token \
>> --header 'Authorization: Bearer xxx' \
>> --header 'Content-Type: application/x-www-form-urlencoded' \
>> --data 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-
>> ticket&ticket=xxxx'
>>
>> If the user has already access, then he gets the rtp, if not he gets:
>>
>> {
>> "error": "access_denied",
>> "error_description": "request_submitted"
>> }
>>
>> Only in this moment the permission ticket i created at step 1 appears in
>> the list of permissions. (I am not sure this is the intended behaviour
>> though).
>>
>
> Yeah, that is the expected behavior. But you can also use a request
> parameter to tell to the token endpoint that you don't want to submit an
> authorization request. See https://www.keycloak.org/
> docs/latest/authorization_services/index.html#_service_authorization_aat.
>
>
>>
>> Then is up to the owner to authorise access (via API we can do that by
>> updating the permission and set granted to true)
>>
>> Now let’s suppose that I am the owner of the resource A, and I want to
>> authorise directly (without the user asking access to the resource A)
>> the user Z to access it. How can I do that? At the time being I could not
>> figure it out.
>>
>
> Similar to the update method, you can use the create method to create
> permissions. Is that what you are looking for ? See org.keycloak.testsuite.
> authz.PermissionManagementTest#testCreatePermissionTicketWithResourceName.
>
from what i see in the code, permission are persisted only when we invoking
the token api with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
so in my understanding there is now way (assuming I am the owner of the
resource) to store directly the permission (with grant=true), which would
what
could be the way a user could share directly his resources as it is now
possible in the interface.
am I wrong?
i am lost... i see that in the code you refer to i see that you invoke
the token
api with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket you are
setting
the claim using the accessToken, but i don't see what this has to do with
the ability of a resource owner to grant directly the access to a resource
(i.e. creating a permission with grant = true)
--
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/> - Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>
6 years, 8 months
Keycloak extension wiith admin-client
by Spike J
Hi everyone,
we try to build an additional keycloak REST endpoint that should use the
admin client.
Therefore in my code I copied the example from keycloak github and added:
Keycloak kc = KeycloakBuilder.builder()
.serverUrl("https://localhost:8080/auth")
.realm("master")
.username("admin")
.password("admin")
.clientId("admin-cli")
.resteasyClient(
new ResteasyClientBuilder()
.connectionPoolSize(5).build()
).build();
When I put my jar into standalone/deployments first it does not find
KeycloakBuilder. So I had to deploy keycloak-admin-client-4.0.0.Beta3.jar
as a module manually. In
"/opt/jboss/keycloak/modules/system/layers/keycloak/org/keycloak" seem to
be lots of modules but keycloak-admin-client is missing.
After manually deployment of the keycloak-admin-client as a module, I added
a jboss-deployment-structure.xml to my extension with:
<jboss-deployment-structure>
<deployment>
<dependencies>
<module name="org.keycloak.keycloak-admin-client" />
</dependencies>
</deployment>
</jboss-deployment-structure>
When I hot-deploy my REST extension now I get
09:53:29,655 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-1) Uncaught server error: java.lang.IllegalArgumentException:
interface org.keycloak.admin.client.token.TokenService is not visible from
class loader
By the way, the same errors returns when I go the long way and build a
module.xml and deploy my extension with the standalone.xml
Any suggestions how to solve that?
Thanks and kind regards
Spike
6 years, 8 months
