Keycloak 3.4.x client-url and SSO questions
by PEETERS.THOMAS (ICT)
Hey all,
While implementing a Keycloak based secure application set (3 internal web applications) with Spring-Security, I’ve come upon some details that I can’t seem to find an adequate answer to.
Our environment and implementations:
The security layer is implemented on the front-end only (for now).
JBoss EAP 6.4, JSF 2.1 Mojarra with RichFaces 4, Spring 3.2.18, Spring-security 3.2.10, Keycloak-spring-security-adapter 3.4.1 (same as the Keycloak server being used).
What we’ve got working:
2 applications with SSL and SSO. Both redirect to the Keycloak login page. When we log in to app1 we’re also logged in in app2, so that’s good.
What we want but can’t seem to achieve:
· Log out of app1 --> refresh of app2 should redirect to the Keycloak login page.
At this point it seems that the user credentials remain active as long as the browser session remains active.
· After successful login from the Keycloak login page always redirect to the application welcome page (index.xhtml for instance).
Use case: A user is working in one of our secured applications, has its browser session ended and clicks on some kind of link. The application correctly redirects this user to the Keycloak login page. The user correctly logs in and gets taken back to where he/she was. However, when this is an AJAX kind-of request the user sees plain XML when taken back the application. To avoid this I would like to always redirect to the welcome page of the application when the user logs in through the Keycloak login page. I can’t seem to find a way to do this.
· Logout doesn’t always work well. Sometimes the Spring AntPathRequestMatcher doesn’t correctly match our logout pattern (/sso/logout**). Therefore we’ve provided an alternative that we’ve found in the documentation in the form of:
“https://<keycloak-url-with-port>/auth/realms/<realmName>/protocol/openid-connect/logout?redirect_uri=<Application-base-URL>
However this doesn’t always work either. There are situations, depending on invalid rights for certain application parts where this never logs out a user.
We’ve got a Spring-security application context in XML that is roughly the same as the one found in the documentation. And a keycloak.json file that looks like this:
{
"realm": "<realmName>",
"auth-server-url": "<keycloak-url-with-port>/auth",
"ssl-required": "all",
"truststore": "<working-truststore>",
"truststore-password":"<a-working-pwd>",
"resource": "<App1-name>",
"public-client": true,
"always-refresh-token": true
}
Due to the large number of Keycloak releases and accompanied configuration changes it’s really hard for us to find relevant information. When we first started by creating a POC we used the most recent Keycloak version (3.4.1-Final). A lot of information that is not old appears to be outdated. Just an observation.
Thanks for reading.
Klik hier<https://www.hvw.fgov.be/nl/mail-disclaimer> voor onze disclaimer
Cliquez ici<https://www.hvw.fgov.be/fr/mail-disclaimer> pour notre disclaimer
Klicken Sie hier<https://www.hvw.fgov.be/de/mail-disclaimer> für unseren Disclaimer
6 years, 6 months
Group-based permissions for resources
by Christian Stier
Dear all,
I am in the process of implementing an authorization solution for the REST API of an application using Keycloak/OIDC.
The application manages resources based on their association with user groups. Its simplified path schema is similar to
/{organization}/{resourcename}. All users of an organization should be allowed to access its resources. My current approach is to
map organizations to Keycloak user groups.
1) Is it possible to define an authorization policy in Keycloak that handles group-based authorization for a single resource defined
for the path /{organization}/{resourcename}? My idea here was to check if the organization path of an URL matches a scope of the
calling client that is mapped from its group memberships. I looked into JS policy examples and the Evaluation API but I did not see
a way to check against path parameters.
2) Or: Do I have to (programmatically) create separate resource/policy pairs for each organization to support this type of
group-based authorization?
Thanks for any pointers and input.
Best regards
Christian
6 years, 6 months
Using the Keycloak js adapter in a Mobile App
by Stephen Coady
Hi,
I am currently trying to use the Keycloak JS adapter to login on a mobile
device. We were using the cordova adapter but had to change to the default
as with local development using Openshift this line:
https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.j...
was causing us issues and we could not redirect to the app.
My question is this: is there a way, or a way planned, to handle the code
returned from login with the redirectUri in a mobile view? Currently it
looks as though I will have to parse the returned token myself and then
login using whatever details it provides me with.
Any help at all would be greatly appreciated.
Thank you.
--
STEPHEN COADY
ASSOCIATE SOFTWARE ENGINEER
Red Hat
<https://www.redhat.com/>
Communications House, Cork Road
Waterford City, Ireland X91NY33
scoady(a)redhat.com IM: scoady
<https://red.ht/sig>
6 years, 6 months
Why and what are the files under installation tab of client tab in keycloak
by vandana thota
What are these files used for and why ? These files are under the
installation tab of client tab in keycloak user interface page .
1)SAML Metadata IDPSSO Descriptor.
2)Keycloak SAML adapter-saml.xml
3)SAML Metadata SPSSODescriptor
4)keycloak SAML Wildfly/ Jboss Subsystem
5)Mod auth Mellon files
6 years, 6 months
Keycloak doubts securing WAR via SAML subsystem
by vandana thota
Hello All,
>From the below doc I have few doubts :
https://www.keycloak.org/docs/2.5/securing_apps/topics/saml/java/saml-jbo...
1st doubt :
I wanna take this option "Securing WARs via Keycloak SAML Subsystem"
we need to configure this instance's .xml file
<extensions>
<extension module="org.keycloak.keycloak-saml-adapter-subsystem"/>
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1">
<secure-deployment name="WAR MODULE NAME.war">
<SP entityID="APPLICATION URL">
...
</SP>
</secure-deployment>
</subsystem>
</profile>
>From above content which is given in document . I did not get this
thing from the lines "
The secure-deployment name attribute identifies the WAR you want to secure.
Its value is the module-name defined in web.xml with .war appended."
Do I have to put like this </secure-deployment> "sample.war" </
secure-deployment> or </secure-deployment> "sample.war"
Sample.war is the deoplyment file which I have deployed on wildfly
instance .
################
>From the below lines which is mentioned in the doc , I have few doubts
"You do not have to crack open a WAR to secure it with Keycloak.
Alternatively, you can externally secure it via the Keycloak SAML Adapter
Subsystem. While you don’t have to specify KEYCLOAK-SAML as an auth-method,
you still have to define the security-constraints in web.xml. You do not,
however, have to create a WEB-INF/keycloak-saml.xml file. This metadata is
instead defined within the XML in your server’sdomain.xml or
standalone.xml subsystem
configuration section."
(2nd doubt)
(2)do I have to define security-constraints in web.xml ?
(2.a) :in that case there is no need to create keycloak-saml.xml file ?
(2.b)If I have to create keycloak-saml.xml file from where and what
content needs to be in this keycloak-saml.xml file .
(3rd doubt)
(3)Which metadata is is already defined in standalone.xml file of wildfly
instance ?
(3.a)As its already defined there is no need to define
security-constraints in web.xml?
(3.b)there is no need to create the keycloak.xml file under WEB-INF folder
Thanks,
Vandana
6 years, 6 months
Fine-grained permissions to map a client role to a group
by Leistert Christoph (INST/ECS2)
Hello,
We use Keycloak 3.4.3 and we trying to find out a way to let users create clients with a client role and map this client role to a group they are already a member of.
For the client creation and client role creation we assigned the realm role "manage-clients" to the users and this is okay for our setup. Additionally the users are assigned to the "query-groups" realm role, so that they could see the groups.
We struggle a bit with the right role/permissions setup to map the client role to a group.
First, we tried to use realm roles only. However, for mapping a role to a group the "manage-users" role is needed, which allows the user also to e.g. see all users. This should not be possible for these users.
Now we try to use fine-grained permissions to realize our scenario. But for the group entity there are no fine-grained permissions and the "map-role" permission of the "Users" resource does not allow to map a role to a group (403 Forbidden).
Is there any other way than using the "manage-users" realm role to map a client role to a group?
Is it planned to add fine-grained permissions for a "Groups" resource?
Mit freundlichen Grüßen / Best regards
Christoph Leistert
(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn
6 years, 6 months
brokered-login only
by mj
Hi,
Is there a way to create a realm in keycloak with a few brokered IdP's,
*without* the local username/password fields on the login screen, but
*only* a list of external IdP's to choose from?
Thanks!
MJ
6 years, 6 months
Keycloak as SAML IdP - Google sign-out problem
by Rodolfo De Nadai
Hi,
i'm configuring my keycloak installation as an IdP and Google apps as an
SSO.
I'm able to login but when trying to logout i got no success...
My configuration follows the described here:
https://stories.scandiweb.com/sign-in-to-google-apps-using-saml-protocol-...
There were a thread in the mailing list which was able to login also, but
didn't mention logout process. As i thought it should be almost as
transparent, since no documentation say anything, is begging to transform
in a problem.
If someone could help or point in some direction i appreciate.
thanks
6 years, 6 months
Keycloak not sending backchannel logout requests
by Aram Aslanyan
Hi,
I am usinng Keycloak 3.4.3.
My webapp uses Keycloak adapter to interact with auth server.
I am using Open ID Connect protocol.
Admin URL is provided for the client in Keycloak server.
When I logout user session via Keycloak admin console, it seem not to send
backchannel logout request to my webapp. Local session still lives (until
access token becomes invalid).
What am I missing?
Thanks, Aram
--
*Aram Aslanyan*
Application Developer
Email: *aram.aslanyan(a)clincapture.com <aram.aslanyan(a)clincapture.com>*
*www.clincapture.com <http://www.clincapture.com/>*
*Follow us on social media: <https://twitter.com/ClinCapture>
<https://www.linkedin.com/company/clincapture>
<https://www.facebook.com/ClinCapture/>*
*Confidentiality Notice: Unless expressly stated otherwise, this message is
confidential and may be privileged. It is intended for the addressee(s)
only. Access to this e-mail by anyone else is unauthorized. If you are not
an addressee, please inform the sender immediately.*
6 years, 6 months
