Add custom roles in realm-management client
by Waldemar Schmalz
Hello,
I have created a new client-role in client "realm-management". It's called
"manage-roles" and its purpose is (or should be) to grant users access to
create, edit and delete roles in their realms. In the base theme this is
only possible when users have access to the role "manage-realm" in client
"realm-management". But with this client-role the user is able to manage
the whole realm, not only the roles. My user is only allowed to manage
roles, users and groups in this case.
I changed the html-files so that the keycloak sidebar menu is working: Menu
item "Roles" is visible for user with my custom client-role "manage-role".
I also extented the getAccessObject() method in my themes
controller/realm.js with the needed new role "manageRoles".
Accessing the roles-list page is working, but accessing the role-details
page (when clicking on a specific role) fails. I get a 403 Forbidden. My
question is: Is there something I forgot?, where is the check for returning
a 200 OK or a Forbidden for this case? It seems it is not in the templates
files, like for the side-menu?
If I forgot any information or something, please contact me.
Thank you, your help is much appreciated!
Best regards
Waldemar
6 years, 6 months
Architectural Blueprint/Recommendations
by Everson, David (MNIT)
Hello,
Our organization has been using Keycloak over the last few years. During this time, several versions and implementation approaches of Keycloak have popped up in the organization as various organizational units leveraged Keycloak.
We are now at the point of taking Keycloak to the next level of maturity within the organization with a common architecture and governance model around Keycloak/IDAM.
We have convened a working group to take our experiences to-date and formulate an architecture which the organization can move forward with. The major point of contention with the future architecture is the nature in which the instances and realms are deployed.
To this end, I am looking for some feedback from the community regarding the most scalable architectural blueprint/recommendation to help achieve the following requirements and questions:
Here is a list of our assumptions/constraints:
1. The organization consists of 10 organizational units (i.e. realms).
2. Each organization unit supports 10-15 applications (i.e. clients) requiring authentication/authorization.
3. The primary application profile is a web application. (i.e. keycloak access type of 'confidential')
4. The organization is starting to developing an increasing number of web services which leverage bearer-only authn/authz.
5. For the organization, Keycloak would support 100,000 users.
6. Of the 100,000 users, 1-2% of those users would be federated via Active Directory.
7. Within an organization unit, users should be able to leverage SSO for any application within the organizational unit.
8. The primary usage of applications are between core business hours.
9. The applications are accessible 24x7.
10. On any given day, about 20% of the total user base may log into at least one application.
11. Due to inactivity requirements, users may typically have to re-authenticate multiple times during the day.
12. The organization has a desire to maintain a common set of IDAM policies and reporting (i.e. governance) across all organizational units.
13. The organization would provide a default template for all organizational units.
14. Each organization unit may modify/create their own template as business requirements dictate.
15. Keycloak should be clustered for high availability.
16. Keycloak environment would be hosted on AWS, more than likely EC2 instances.
17. Client applications also hosted in AWS.
18. Keycloak's database would be PostgreSQL hosted in AWS RDS.
A few questions/concerns of the working group:
A. Is there any information available on the maximum size of an Keycloak installation? Will Keycloak be scalable and performant given the above assumptions and constraints.
B. What's the best recommendation for distributing the Keycloak instances and realms. Right now the group has three options on the table: 1) A single Keycloak install per application (i.e. client); 2) A single Keycloak install per organizational unit (i.e. realm); or 3) A single Keycloak install per organization (i.e. serving all realms and clients).
C. A major concern the group has with a single Keycloak install (#3 in previous bullet) is the high-availability in terms of performance and concerns of a rouge client affecting other applications negatively. What is the community's recommendation for addressing this concern?
D. Another major concern the group has with a single Keycloak install is the restarts that are necessary when an organization unit deploys a new or updated template. The concern is that all applications would be unavailable during the restart. We would be operating in a clustered environment, is the best solution to this concern restarting individual members of the cluster rather than the entire cluster?
E. For reporting and governance processes, the Keycloak API performs quite poorly when we execute use cases such as "Report all Users of an Application". Given the version we are currently on, to accomplish this we need to query all users in the realm and then filter the users if they have the client/role combination. We understand that a future release addresses this use case, but in the meantime the concern is such a query will negatively affect all other clients using Keycloak. Any recommendations on handling this use case prior to Keycloak 4.x?
F. Upgrading Versions of Keycloak. We have experienced some difficulty of upgrading versions on server-side (we need to export, import vs a simple DB backup and deployment). What is the recommendations for handling the upgrade of Keycloak from one version to the next given the size of our user base?
I'm sorry for the long post, hopefully folks get to this point. Any insight that we could receive would be greatly appreciated. We are at a critical cross-roads in our Keycloak adoption and want to ensure we do this correctly.
Thanks!
Dave
Dave Everson
Application Development Team Lead | Environmental Health
Minnesota IT Services | Partners in Minnesota Department of Health
625 Robert Street North
St. Paul, MN 55155
O: 651-201-5146
Information Technology for Minnesota Government | mn.gov/mnit<http://mn.gov/mnit>
[Minnesota IT Services Logo]
[Facebook logo]<https://www.facebook.com/MN.ITServices>[LinkedIn logo]<https://www.linkedin.com/company/mn-it-services>[Twitter logo]<https://twitter.com/mnit_services>
6 years, 6 months
Keycloak: Failed to verify token - Invalid token issuer
by Henning Waack
Hi all.
Using KC 4.0.0.Final behind a Apache https proxy, we have the following issue with OIDC tokens as logged in the Keycloak server.log:
2018-06-21 13:59:47,626 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-41) Verifying access_token
2018-06-21 13:59:47,628 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-41) Failed to verify token: org.keycloak.common.VerificationException: Invalid token issuer. Expected 'http://nak/auth/realms/NAK', but was 'https://nak.xxx.de/auth/realms/NAK'
at org.keycloak.TokenVerifier$RealmUrlCheck.test(TokenVerifier.java:108)
---
The URL "https://nak.xxx.de/auth/realms/NAK/.well-known/openid-configuration" looks fine, all endpoints have the right format, e.g.
> issuer: "https://nak.xxx.de/auth/realms/NAK"
> authorization_endpoint: "https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/auth"
> token_endpoint : "https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/token"
The X-Forward Headers also look fine, I have enabled header logging in Wildfly, and we have the following headers for example:
header=X-Forwarded-For=80.242.xx.xx, 10.10.51.5
header=X_FORWARDED_PROTO=https
header=Host=nak.xxx.de
header=X-Forwarded-Host=nak.xxx.de, nak.xxx.de
header=X-Forwarded-Server=nak.xxx.de, xxx.dip0.t-ipconnect.de
header=X-Forwarded-Proto=https
In my KC standlone.xml config I have set the "proxy-address-forwarding" parameter for the http-listener to "true".
So why is KC still expecting the token issuer to be "http://nak/..." instead of "https://nak.xxx.de/..."?
Thanks & greetings
Henning
6 years, 6 months
how to import json user md5 password?
by Gérald Payet
Dear All,
Can somebody explain how to import users with a current database?
All info in the json file are fine except the md5 password.
Is the way to manage with my current md5 password at the begining (import
process with the json file) for that?
Thanks a lot.
Regards,
*Gérald PAYET*
6 years, 6 months
New ftl template and routing
by Miguel Sanz
Hello,
my team want to add a new template in the User Account Management because
we need to show other useful data to the user. Of course, If we want to add
this new template, we want to have access to it from the routing and we
also need the user token. I think that we need to modify the server code if
we want to add this new feature. But we would like to modify the code as
little as possible.
How can we add a new template and the route without changing the code much?
Thank you very much.
--
[image: Kairós Digital Solutions] <http://www.kairosds.com> [image: Miguel
Sanz Martín]
Full-stack Developer
*Kairós Digital Solutions*
Castellana 43 - WeWork, Madrid 28046 <https://goo.gl/maps/rXYrLwh5s6t>
https://www.kairosds.com/
*Nota legal*: Este mensaje y cualquier archivo adjunto está destinado
únicamente a quien se dirige y es confidencial. Si usted ha recibido este
mensaje por error, comuníqueselo al remitente y bórrelo inmediatamente. La
utilización, revelación y/o reproducción del mensaje puede constituir un
delito.
*Protección de Datos - Responsable: KAIROS DIGITAL ANALITYCS AND BIG DATA
SOLUTIONS, S.L.**Finalidad.* Envío de información, respuesta a consultas y
contactos genéricos, mientras dure nuestra relación y tengamos su
consentimiento. *Destinatarios.* No se cederán datos a terceros salvo
obligación legal. *Derechos.* Puede ejercer los derechos de acceso,
rectificación, supresión y oposición, limitar el tratamiento de sus datos,
o directamente oponerse al tratamiento, o ejercer el derecho a la
portabilidad de los mismos. Todo ello, mediante escrito, acompañado de
copia de documento oficial que le identifique, dirigido al RESPONSABLE. En
caso de disconformidad con el tratamiento, también tiene derecho a
presentar una reclamación ante la Agencia Española de Protección de Datos.
También podrá oponerse a nuestros envíos de comunicaciones comerciales
(Art.21.2 de la LSSI) a través de la siguiente dirección de correo
electrónico: info(a)kairosds.com
--
Nota legal: Este mensaje y cualquier archivo adjunto está destinado
únicamente a quien se dirige y es confidencial. Si usted ha recibido este
mensaje por error, comuníqueselo al remitente y bórrelo inmediatamente. La
utilización, revelación y/o reproducción del mensaje puede constituir un
delito.
Protección de Datos - Responsable: KAIROS DIGITAL ANALITYCS AND
BIG DATA SOLUTIONS, S.L.Finalidad. Envío de información, respuesta a
consultas y contactos genéricos, mientras dure nuestra relación y tengamos
su consentimiento. Destinatarios. No se cederán datos a terceros salvo
obligación legal. Derechos. Puede ejercer los derechos de acceso,
rectificación, supresión y oposición, limitar el tratamiento de sus datos,
o directamente oponerse al tratamiento, o ejercer el derecho a la
portabilidad de los mismos. Todo ello, mediante escrito, acompañado de
copia de documento oficial que le identifique, dirigido al RESPONSABLE. En
caso de disconformidad con el tratamiento, también tiene derecho a
presentar una reclamación ante la Agencia Española de Protección de Datos.
También podrá oponerse a nuestros envíos de comunicaciones comerciales
(Art.21.2 de la LSSI) a través de la siguiente dirección de correo
electrónico: info@kairosds.com <mailto:info@kairosds.com>
6 years, 6 months
Re: [keycloak-user] Secure RESTfull API with keycloak
by Alvaro Martin
Hi,
We are evaluating keycloak as an IAM for a future application. We are
building a prototype with an Angular front app and a spring boot 2 backend.
The bankend app exposes a RESTfull API whose access we want to restrict
down to the HTTP verb level. At least we want to achive two access levels
on each endpoint: readonly access (HTTP GET) and full access (GET, POST,
PUT, DELETE).
We have configured keycloak and built the application but the backend
doesn´t seem to restrict the access. Here it is the application.yml. We are
trying to setup a ROLE_CLIENT_RO (for readonly) and ROLE_CLIENT_FA (for
full access).
keycloak:
auth-server-url: http://localhost:8010/auth
bearer-only: true
public-client: true
realm: blue-energy
resource: client-service
securityConstraints:
- authRoles:
- ROLE_CLIENT_RO
securityCollections:
- name: protected resource
patterns:
- /clients
- /clients/
methods:
- GET
ssl-required: external
The backend app seem to honor the ROLE_CLIENT_RO role but not the HTTP
verb. If we assign the realm role ROLE_CLIENT_RO to the user that should
grant just readonly access he has unrestricted access to the whole enpoint
(i.e. all the verbs).
We are using keycloak 4.0.0.Final.
Is this configuration supposed to work? We haven´t found much references on
how to setup and scenario like this?
Thanks in advance,
*Álvaro Martín García*[image: bluetab.net] <http://www.bluetab.net/>
alvaro.martin(a)bluetab.net
+34 91 457 16 97
+34 687 398 622
6 years, 6 months
Admin API: Deleting an offline session
by Eivind Larsen
Hi Keycloak Users
In the admin API there is a call to delete a session by ID:
DELETE /{realm}/sessions/{session}
This works for user (online) sessions, but when given the session ID of an
offline session, it gives 404 error and nothing is deleted.
Seeing as this is the only way to delete a given sessionId, I would expect
the call to also delete offline sessions.
1. Is there a way to delete an offline session by id?
2. I think it would be more useful if this call was scoped per user.
Currently you have to load all user sessions, verify that this session ID
is indeed owned by the user, then call delete. Scoping per user would make
it impossible to delete a wrong user's session, and it would reduce
requests to the keycloak instance significantly.
Best Regards,
Eivind Larsen
6 years, 6 months
KrakenD and Keycloak
by Peter Awad
We are in the early stages of implementing keycloak and currently have a
dev environment setup with keycloak 4.beta3
One of my dev teams is working on an API proxy with KrakenD but are
struggling.
I assumed that this was going to a bearer type and provided them with the
following:
{
"realm": "InboxAuth",
"bearer-only": true,
"auth-server-url": "https://dev-idp03.inboxmarketer.net/auth",
"ssl-required": "all",
"resource": "insights-dev",
"confidential-port": 0
}
as well as a test user, clientId, secret and Reg Token
However krakenD appears to want the following:
ClientId - Got that.
Client Secret - Got that.
Token URL - auth server url does not seem to work here.
Scopes - Got that.
So I guess the real question is what should I be using for Token URL
Thanks
*Peter Awad* | Customer Success Specialist
pawad(a)inboxmarketer.com
T: 519.824.6664 x220
*To give real service you must add something which cannot be bought or
measured with money, and that is sincerity and integrity.* ~ Douglas Adams
6 years, 6 months
