Need info for network security
by Pakira, Ranjan
Hi,
We are planning to setup Keycloak in new Network and network security team need some information. Can you please help us with the answer of the following queries?
How is this user data secured in rest and in transit?
How is in control of Keyclock? and do you have the correct process around access, Starters movers leavers etc?
Thanks & Regards,
Ranjan Pakira
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
6 years, 5 months
Using Keycloak 3.4 with Spring Boot 2 Adapter 4
by Benke, Tim
Hello everybody,
It’s intuitively clear to me that an outdated adapter communicating with a *newer* Keycloak isn’t a great idea and the documentation suggests importing the javascript adapter from the server itself.
What about the opposite case of a new backend adapter with version 4.0.0.Final and an older Keycloak 3.4.3. Is this insecure? We’re considering this option to reduce the hassle of updating keycloak itself and upgrading our custom theme.
Best regards,
Tim Benke
6 years, 5 months
Keycloak integration with mysql.
by Irtiza Ali
Hello everyone,
Keycloak by default uses h2 hibernate as db and I want to replace it with
mysql. I have followed the guidelines in documentation but was unable to
figure out that mysql is integrated or not.
Kindly provide me some guilelines in this regards.
1) any blog or tutorials for this purpose.
2) any method to validate that mysql in integrated with keycloak.
Thankyou
Regards
Irtiza Ali
6 years, 5 months
Outbound SSL Connection in SPI
by Henning Waack
Hi.
I am implementing a custom OIDC Protocol Mapper. Within I have to make a
https connection, which currently fails because I do not have a truststore
configured on my http connection.
I have added a truststore SPI to my standalone.xml:
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file"
value="${jboss.server.config.dir}/nak.test.jks"/>
<property name="password" value="****"/>
<property name="hostname-verification-policy"
value="WILDCARD"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
But I do not know how to get a HttpClient instance which uses this
truststore. I have tried with:
org.apache.http.client.HttpClient httpClient = new
org.keycloak.connections.httpclient.HttpClientBuilder().build();
and
DefaultHttpClientFactory factory = new DefaultHttpClientFactory();
HttpClientProvider httpClientProvider =
factory.create((KeycloakSession)session);
return httpClientProvider.getHttpClient();
whereas the first just does not have the truststore configured, and the
second fails with a NPE.
So how do I get an outbound http connection which uses my truststore SPI?
Thanks & greetings
Henning
--
-----------
Henning Waack | IT Consultant
codecentric AG | Hochstraße 11
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>
|
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>42697
Solingen
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>
|Deutschland
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>
tel: +49 (0)151 108 515 29
www.codecentric.de | blog.codecentric.de | www.meettheexperts.de
Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal
Vorstand: Michael Hochgürtel . Ulrich Kühn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus Jäger . Jürgen Schütz
Diese E-Mail einschließlich evtl. beigefügter Dateien enthält vertrauliche
und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie
bitte sofort den Absender und löschen Sie diese E-Mail und evtl.
beigefügter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder Öffnen
evtl. beigefügter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
nicht gestattet.
6 years, 5 months
Close EntityManager in RealmResourceProvider?
by Henning Waack
Hi.
I am implementing a RealmResourceProvider (KC 4.0) in which I use an
EntityManager provided by the KeycloakSession to access the KC DB:
EntityManager em =
((KeycloakSession)session).getProvider(JpaConnectionProvider.class).getEntityManager();
In my class which extends
org.keycloak.services.resource.RealmResourceProvider and uses this
EntityManager, do I have to close the EM instance after using it? Or do I
have to close it in my RealmResourceProviderFactory.close() method where I
obtain it from the session?
Thanks & greetings
Henning
6 years, 5 months
Sharing default configuration for keycloak deployment
by Test Oauth
I am shipping Keycloak with my application and there is some default
configuration that I have done. I want to ship this default configuration
(like admin name/password, realm names etc) with my application so that the
customers can bring the basic authentication flow up with a single click
(of probably a batch file).
Is there a way to do this?
6 years, 5 months
Upgrading Keycloak 3.4.2 to 4.1.0 in docker
by Erlend Hamnaberg
Hello all.
I was wondering if it required to run the upgrade steps (apart from the
database migrations and themes ) when deploying keycloak in dockerized form?
I am of course extending
FROM jboss/keycloak:4.1.0.Final
I started the server with just upgrading the database automatically, and it
seems to work fine.
Am I missing something other important step?
/Erlend
6 years, 5 months
Extract user roles from jwt auth token
by Irtiza Ali
I am using this endpoint:
XXXXXXXXXX/protocol/openid-connect/token
to authenticate the user. Once the user is authenticated a json(jwt) is
returned from keyclock.
Decoded jwt json:
{
"jti": "30d233b2-bba8-4f21-bc51-8c867cd5db8b",
"exp": 1532326409,
"nbf": 0,
"iat": 1532325509,
"iss": "http://localhost:8080/auth/realms/nodejs-example",
"aud": "nodejs-connect",
"sub": "faf3fc64-b96b-4e3f-8e86-4fc727e20d31",
"typ": "Bearer",
"azp": "nodejs-connect",
"auth_time": 0,
"session_state": "736f9570-a3c8-4180-927e-15b5e0f63764",
"acr": "1",
"allowed-origins": [],
"resource_access": {
"account": {
"roles": [
"view-profile"
]
}
},
"name": "aaa bbb",
"preferred_username": "ali123",
"given_name": "aaa",
"family_name": "bbb",
"email": "a123(a)yahoo.com"
}
How can I retrieve the user roles from that JWT token?
Thank you
Irtiza Ali
6 years, 5 months
Problem while getting users
by Cedric Vidaillac
Hi all,
I'm trying things with the admin CLI, I want to get all users that have a
specified role,
So I'm using this :
GET /{realm}/clients/{id}/roles/{role-name}/users
Then, we decided it was really easier to manage users by assigning them to
a default group, then assigning roles to my default group... than assigning
roles for each users everytime...
So when I lookup any user now, on the "role mapping" tab, I can see the
desired role on the "*Effective Roles*" column, good.
However, the API above only return users which have the role in the "Assigned
Roles", even though my user have the role through the group.
So I this normal or is it a bug ?
As the goal of the API is to " Return List of Users that have the specified
role name" I'd say it's a bug, but maybe I'm not seeing clear.
Thanks for reading.
Cedric.
6 years, 5 months
