Brute Force Detection
by Francky Vens
Hi,
I have a question about how to visualize the brute force detection. Currently we are using the REST API command "get admin/realms/{realm}/attack-detection/brute-force/users/{userId}"
In this command, {realm} and {userId} are mandatory attributes.
Hence, you need to know the userId upfront before you can check if that user account is under attack or not.
Is my interpretation correct?
I find this strange. I would expect to get back a list of users who are under attack instead of having to check one by one.
Or am I missing something?
Current keycloak version: 3.4.3
Kind Regards,
Francky
6 years, 8 months
User session administration
by Eivind Larsen
Hi Keycloak Users!
We are setting up apps and services to use Keycloak for managing
logins and sessions.
To let users manage their own devices and their login sessions, we
want to display session information on our settings webpage (that we
already have).
I can see there is a session listing in the Keycloak Administration
GUI, and I found the API call:
GET /auth/admin/realms/{realmName}/users/{userId}/sessions
Which should list all the sessions of the given user.
This call seem to require some set of admin privileges, while ideally
the user’ token itself would have access to listing his/her _own_
sessions only, with the ability to revoke their own grants.
Is there any way to do this with Keycloak?
Best regards,
Eivind Larsen
6 years, 8 months
Help Communicate between apps with a scheduled task
by Matteo Salvetti
Hi all,
I need to executed some code inside a scheduled task using Spring Boot.
Inside this task I have to contact another web-app in order to retrieve
some information.
Both of them use Keycloak.
The problem is that when that task starts, I have the error: Cannot set
authorization header because there is no authenticated principal
Why?
How can I communicate between app using keycloak auth without do a login?
I mean, how can I run a task autocamatically?
Becuase if I call manually that method it works
Thank you!
6 years, 8 months
"An Unexpected Server Error occurs" when clicking on list Users
by Lahari Guntha
Hi All,
I am using Keycloak of version 3.3.0.Final.
I have deployed keycloak as a container. I have LDAP integrated with my Keycloak. So I get all the users from LDAP.
When I go to "Users" > "View All Users" It is throwing me an Error saying that
"An unexpected Server Error has Occurred"
[cid:6fd4b1a9-1df7-4d27-9e52-2497a5ed8fcc]?
Did any one face the same Issue???
How can I resolve this Issue??
Thanks & Regards,
Lahari.
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
6 years, 8 months
Enabling comments in a JSON file?
by Eric B
I'd like to add comments to an adapter JSON configuration file to help
document my configuration. However, Keycloak throws an exception when
trying to parse the file:
14:11:53,804 DEBUG [org.keycloak.adapters.jaas.BearerTokenLoginModule]
(default task-15) Unable to find or parse file classpath:/keycloak.json due
to com.fasterxml.jackson.core.JsonParseException: Unexpected character ('/'
(code 47)): maybe a (non-standard) comment? (not recognized as one since
Feature 'ALLOW_COMMENTS' not enabled for parser)
at [Source: java.util.zip.ZipFile$ZipFileInflaterInputStream@3f9359f3;
line: 1, column: 2]: java.lang.RuntimeException:
com.fasterxml.jackson.core.JsonParseException: Unexpected character ('/'
(code 47)): maybe a (non-standard) comment? (not recognized as one since
Feature 'ALLOW_COMMENTS' not enabled for parser)
at [Source: java.util.zip.ZipFile$ZipFileInflaterInputStream@3f9359f3;
line: 1, column: 2]
at
org.keycloak.adapters.KeycloakDeploymentBuilder.loadAdapterConfig(KeycloakDeploymentBuilder.java:162)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:151)
at
org.keycloak.adapters.jaas.AbstractKeycloakLoginModule.resolveDeployment(AbstractKeycloakLoginModule.java:103)
at
org.keycloak.adapters.jaas.AbstractKeycloakLoginModule.initialize(AbstractKeycloakLoginModule.java:83)
Looking through the code, I see that the Keycloak JSON parser is
created/defined as:
org.keycloak.adapters.KeycloakDeploymentBuilder:
public static AdapterConfig loadAdapterConfig(InputStream is) {
ObjectMapper mapper = new ObjectMapper(new
SystemPropertiesJsonParserFactory());
mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
AdapterConfig adapterConfig;
try {
adapterConfig = mapper.readValue(is, AdapterConfig.class);
} catch (IOException e) {
throw new RuntimeException(e);
}
return adapterConfig;
}
Is there anyway I can configure the mapper to allow comments? ie: I'm
looking to set:
SystemPropertiesJsonParserFactory:enable(JsonParser.Feature.
ALLOW_COMMENTS);
But without DependencyInjection, I'm not sure how I can override the
factory definition cleanly, without having to resort to some ugly hacks
(ex: AspectJ, etc).
I'm guessing there might be a way to define a custom
KeycloakDeploymentBuilder, but I can't figure out how to configure that (if
it even exists).
Is there any chance to override/modify these settings?
Thanks,
Eric
6 years, 8 months
Prompting user to select "active" group
by Richard Abdill
Hi all, kind of a peculiar question for the group: We currently have a
login system set up with Keycloak in which users can successfully log in
and have their group membership imported via SSSD. The unusual part is what
needs to happen next: If a user is a member of multiple groups, we need to
present a prompt for the user to select a single group to use for this
particular session. For example, if a user is a member of groups "alpha,"
"secondary," and "seven," we want to ask them which group they're going to
be "in" for this session, and then send along only *that* group in the
assertion, rather than all of them, as it's doing now.
We're trying to figure out a way to accomplish this, and I thought it'd be
best to check with the community to see if anyone has dealt with a similar
issue or happened to know about a package that does something like this.
I'm guessing a custom post-login flow is what's needed, but does anyone
have any thoughts?
Best,
Rich
6 years, 8 months
Switch User enhancement - How best to modify Browser Flow
by Ryan Slominski
Hi Keycloak Users,
I'm looking for suggestions on ways to configure a Keycloak realm to allow Kerberos SPNEGO, but at the same time also allow switching users. I've made some suggestions to the existing enhancement JIRA here:
https://issues.jboss.org/browse/KEYCLOAK-1727
I'd like to consider a "continue as $username" button in the event SPNEGO worked instead of automatically returning successful login. I'm looking at the Authentication API and Browser Flow docs:
https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
Perhaps we could create a "Check if SPNEGO Worked and Prompt to Confirm" Authenticator and assign it an Execution Requirement of "Required", and configure the Browser Login flow to include the new Authenticator after the Kerberos Execution, but before the Forms subflow. The logic in the new Authentictor might look like:
if(SPNEGO worked) {
// Show special form with button labeled "Continue as $username" beside a regular username/password form. This way user can choose to switch users or just continue as the OS user.
else {
// Continue with regular form subflow as usual.
}
Does the Authenticator API support this?
Thanks,
Ryan
6 years, 8 months
Can I pass a principal with rest template if I'm using an async task wiht Spring Boot and Keycloak?
by Matteo Salvetti
Hi all,
I'm using Spring Boot and Keycloak to develop a web-app. Then I wrote a
scheduled task where I'm using the KeycloakRestTemplate to ask some data to
another app, as you can see below:
@Override
@Scheduled(cron="0 50 09 * * MON-FRI")
public void concludiCommessa() {
try {
FDto[] ftts = new
ObjectMapper().readValue(restTemplate.getForEntity(URI.create(MY_URL),
String.class).getBody(), FDto[].class);
..............................
}
} catch (RestClientException | IOException e) {
}
}
If I run it on the server I have the following error:
2018-04-18 09:50:00.067 ERROR 2503 --- [pool-8-thread-1]
o.s.s.s.TaskUtils$LoggingErrorHandler : Unexpected error occurred
in scheduled task.
java.lang.IllegalStateException: Cannot set authorization header
because there is no authenticated principal
at org.keycloak.adapters.springsecurity.client.KeycloakClientRequestFactory.getKeycloakSecurityContext(KeycloakClientRequestFactory.java:70)
~[keycloak-spring-security-adapter-3.4.2.Final.jar:3.4.2.Final]
at org.keycloak.adapters.springsecurity.client.KeycloakClientRequestFactory.postProcessHttpRequest(KeycloakClientRequestFactory.java:55)
~[keycloak-spring-security-adapter-3.4.2.Final.jar:3.4.2.Final]
at org.springframework.http.client.HttpComponentsClientHttpRequestFactory.createRequest(HttpComponentsClientHttpRequestFactory.java:207)
~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at org.springframework.http.client.support.HttpAccessor.createRequest(HttpAccessor.java:85)
~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:656)
~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:636)
~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at org.springframework.web.client.RestTemplate.getForEntity(RestTemplate.java:336)
~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at it.edile.service.api.ApiServiceImpl.concludiCommessa(ApiServiceImpl.java:287)
~[classes/:0.0.1-SNAPSHOT]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[na:1.8.0_161]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[na:1.8.0_161]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[na:1.8.0_161]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_161]
at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:65)
~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54)
~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at org.springframework.scheduling.concurrent.ReschedulingRunnable.run(ReschedulingRunnable.java:81)
[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[na:1.8.0_161]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_161]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
[na:1.8.0_161]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
[na:1.8.0_161]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[na:1.8.0_161]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[na:1.8.0_161]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_161]
Why?
How can I pass a principal if I'm using an async task?
This is my security configuration:
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(keycloakAuthenticationProvider());
}
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}
@Bean
@Scope(ConfigurableBeanFactory.SCOPE_SINGLETON)
public KeycloakRestTemplate keycloakRestTemplate() {
return new KeycloakRestTemplate(keycloakClientRequestFactory);
}
@Bean
public KeycloakConfigResolver keycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
This is my keycloak properties:
#######################################
# KEYCLOAK #
#######################################
keycloak.realm=MY_REALM
keycloak.auth-server-url=MY_URL/auth
keycloak.ssl-required=external
keycloak.resource=EdilGest
keycloak.credentials.jwt.client-key-password=PWD
keycloak.credentials.jwt.client-keystore-file=classpath:CLIENT.jks
keycloak.credentials.jwt.client-keystore-password=PWD
keycloak.use-resource-role-mappings=true
keycloak.principal-attribute=preferred_username
I'm also trying to use the Service Account now, but it doesn't work at the
moment... Reading here:
https://www.keycloak.org/docs/latest/server_admin/index.html#_service_acc...
I have to send a request like:
POST /auth/realms/demo/protocol/openid-connect/token
Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
to keycloak, but how can I send it using Spring? and how can I set the jks
instead of client and secret?
My security config
onfiguration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
@KeycloakConfiguration
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Autowired
public KeycloakClientRequestFactory keycloakClientRequestFactory;
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http
.httpBasic()
.disable();
http
.authorizeRequests()
.antMatchers("/webjars/**").permitAll()
.antMatchers("/resources/**").permitAll()
.anyRequest().hasAuthority("......")
.and()
.logout()
.logoutUrl("/logout")
.logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET"))
.permitAll()
.logoutSuccessUrl(mux)
.invalidateHttpSession(true);
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(keycloakAuthenticationProvider());
}
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new
SessionRegistryImpl());
}
@Bean
@Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
public KeycloakRestTemplate keycloakRestTemplate() {
return new KeycloakRestTemplate(keycloakClientRequestFactory);
}
@Bean
public KeycloakConfigResolver keycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
@Bean
public FilterRegistrationBean
keycloakAuthenticationProcessingFilterRegistrationBean(KeycloakAuthenticationProcessingFilter
filter) {
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean
keycloakPreAuthActionsFilterRegistrationBean(KeycloakPreAuthActionsFilter
filter) {
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**", "/static/**", "/css/**",
"/js/**", "/images/**", "/webjars/**");
}
}
If you want, please take a look here:
https://stackoverflow.com/questions/49900124/can-i-pass-a-principal-with-...
6 years, 8 months
