Managing resource access
by Eirik L. Wang
Hi,
We have a customer support portal where we are trying to use Keycloak for
managing resources.
As part of our portal we want to be able to show admins who has access to a
given resource. Is it possible to get this information from the
authorization api's?
I'm mostly using RBAC, so our backup plan is just showing this information
based on role membership. But it would be nice to be able to show
calculated access, as there might be some special rules for some resources.
Also, area you able to explain some curious behavior to me? It might be
that I'm not fully aware on how the evaluation of permissions is happening:
This is what I have drilled it down to:
Say I have 2 resorces
area_1
area_2
each with scopes
area_1:read
area_2:read
area_1:write
area_2:write
I have two policies:
IsAdmin policy that checks for a client admin role
IsAreaAdmin - a generic js policy which tries to check for a role
corresponding with the scope accessed
eg: check if user is member of area_1:write client role
Js-code:
var context = $evaluation.getContext();
var id = $evaluation.permission.resourceServer.id;
var client =
$evaluation.authorizationProvider.realm.getClientById(id).clientId;
var scope = $evaluation.permission.scopes[0].name;
var identity = context.getIdentity();
logger.warn("evaluating " + scope)
logger.warn("evaluating " + identity.hasClientRole(client, scope))
if(identity.hasClientRole(client, scope)){
$evaluation.grant();
}
Then I have scope based permissions (one for each scope) Affirmate with
both scopes.
So either you are admin, or you have a role corresponding with the scope.
Testing this:
User1 is member of area1:read client role
When evaluating user with only area1:read scope - access is granted
When evaluating user with any resource, any scope - access is denied
Debugging, it seems like only one of the scopes are tested through the
policy for each resource.
Is this expected behavior? Or is there a caching bug somewhere?
Regards
Eirik Wang
6 years, 4 months
Maker checker on creating or users
by Murad Almomani
Dears,
I would like to implement Maker checker on creation of users on the keycloak, how to make admin with role of creation and other admin with permession of approval for the creation request,
Thanks.
6 years, 4 months
Validation before account registration
by Andreas Lau
Hello,
I'd like to use the keycloak to secure my web application. But I have a
requirement to check a number like contract number to validity before
registration process. If it's valid the registration is allowed and an
account can be created if not nothing should happen. Is it possible to
do that with keycloak? I suppose that I can not use the regular
registration link in the log-in form right?
Regards Andreas
---
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus
6 years, 4 months
User Organization / Subset of group roles
by gareth@garethwestern.com
Hi,
We have a requirement that the users of our application can be associated
with an Organization (one of our application's business entities). The
customer would like each Organization to have one or more "roles" associated
with it, so that when a user is created and associated with that
organization then the user will inherit those roles. One complication is
that the customer may want the user to only have a subset of the
Organization roles. The current thinking is that each organization could be
a group, so that users and roles can be assigned to the group, but I'm not
sure how to handle the 'subset of group roles' issue. Is this something that
can be accomplished with Keycloak?
Kind regards,
Gareth
6 years, 4 months
Keycloak Auth error message
by MyMail1284
Hi,
Currently on Authentication failure of the credentials we are observing the
same error message it received when the user profile status is marked as
disabled and when there is no user profile exists in Key Cloak.
Pls let me know if there is any way I can correct this with any sort of
customisation?
Regards,
Ravi Shanker
6 years, 4 months
Keycloak JS adapter iframe origin
by Pedro Pedro
We have angular app and we use nginx in a docker image to deploy it.
I'm trying to pass the keycloak url to the js adapter by using a constant like this: new Keycloak(url: '/idp');
and in nginx's config I try to proxy that constant to the passed args to the docker image: location /idp {
proxy_pass ${IDP_PROTOCOL}://${IDP_ADDR}/${IDP_CONTEXT_PATH}; }
When the logic in checkLoginIframe tries to send cross-origin request it fails because the adapter uses our app's origin.
Is there any way to be able to proxy that via nginx?
If I disable checkLoginIframe can the session be tracked when expired and etc?
6 years, 4 months
Replication timeout and retransmission table issues when using Keycloak on 5 nodes
by Damien Douteaux
*SUMMARY*
I am currently trying to build an authentication app using Keycloak
deployed as a Docker service. My infrastructure is as follow :
- Server : CentOS 7
- Docker : 17.06.2-ce, with weaveworks net plugin
- Keycloak : 3.3.0-Final
- Postgre : 9.4
- 5 Keycloak deployed as a cluster in a Docker swarm
I encounter an issue with the cache when building up the cluster. I do not
have any error while building a 2 nodes cluster, but when scaling to 5
node, many warning like this one appear :
WARN [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-3)
JGRP000041: bd3eeb23695b: message d8896fbba960::14 not found in
retransmission table
When these messages begin to appear, the containers stop responding
correctly and eventualy some of them stop their instance of Keycloak. This
kind of errors has occured on various occasions:
- When starting the services, hence the app does not even success to
start.
- A few ours after a correct start of Keycloak, even with few activity
on the nodes.
*SYMPTOMS*
When the app crashes I see :
1) Numerous logs based on the one shown above that seem to iterate (ie. the
same messages coming from a node that are not found "for ever") :
2018-08-22 09:59:33,346 WARN
[org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2)
JGRP000041: bd3eeb23695b: message d8896fbba960::15 not found in
retransmission table
2018-08-22 09:59:33,346 WARN
[org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2)
JGRP000041: bd3eeb23695b: message d8896fbba960::16 not found in
retransmission table
2018-08-22 09:59:33,346 WARN
[org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2)
JGRP000041: bd3eeb23695b: message d8896fbba960::17 not found in
retransmission table
2018-08-22 09:59:33,346 WARN
[org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2)
JGRP000041: bd3eeb23695b: message d8896fbba960::18 not found in
retransmission table
...
2018-08-22 09:59:33,040 WARN
[org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2)
JGRP000041: bd3eeb23695b: message d8896fbba960::15 not found in
retransmission table
2018-08-22 09:59:33,040 WARN
[org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2)
JGRP000041: bd3eeb23695b: message d8896fbba960::16 not found in
retransmission table
2018-08-22 09:59:33,040 WARN
[org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2)
JGRP000041: bd3eeb23695b: message d8896fbba960::17 not found in
retransmission table
2018-08-22 09:59:33,040 WARN
[org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2)
JGRP000041: bd3eeb23695b: message d8896fbba960::18 not found in
retransmission table
...
2) The node from which the messaged should come that display various cache
errors :
2018-08-22 09:58:37,130 ERROR
[org.infinispan.interceptors.InvocationContextInterceptor]
(ServerService Thread Pool -- 61) ISPN000136: Error executing command
PutKeyValueCommand, writing keys [cluster-start-time]:
org.infinispan.util.concurrent.TimeoutException: Replication timeout
2018-08-22 09:58:37,149 ERROR [org.jboss.msc.service.fail]
(ServerService Thread Pool -- 61) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./odino-stif-keycloak-int/auth:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./odino-stif-keycloak-int/auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
2018-08-22 09:58:37,178 ERROR
[org.jboss.as.controller.management-operation] (Controller Boot
Thread) WFLYCTL0013: Operation ("add") failed - address:
([("deployment" => "keycloak-server.war")]) - failure description:
{"WFLYCTL0080: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./odino-stif-keycloak-int/auth"
=> "java.lang.RuntimeException: RESTEASY003325: Failed to construct
public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to
construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: org.infinispan.util.concurrent.TimeoutException:
Replication timeout"}}
2018-08-22 09:58:37,409 WARN
[org.infinispan.topology.CacheTopologyControlCommand] (ServerService
Thread Pool -- 60) ISPN000071: Caught exception when handling command
CacheTopologyControlCommand{cache=actionTokens, type=LEAVE,
sender=d8896fbba960, joinInfo=null, topologyId=0, rebalanceId=0,
currentCH=null, pendingCH=null, availabilityMode=null,
actualMembers=null, throwable=null, viewId=3}:
java.lang.IllegalArgumentException: A cache topology's pending
consistent hash must contain all the current consistent hash's members
Then, this node usually stops all caches and Keycloak.
*CONFIG AND SOLUTION ATTEMPTED*
I have unsuccessfully tried to :
- Change timeout params on the various cache of Keycloak (in order to
give more time to stabilize the cluster)
- Change some default values for protocol NAKACK2 in Keycloak
configuration file. The aim of this was to limit trafic between nodes and
increase number of elements in retransmission table so that messages are
not lost before all nodes received them. However, my issues are not lessen
by those changes.
The configuration I am currently using is the following :
<subsystem xmlns="urn:jboss:domain:infinispan:4.0">
<cache-container name="keycloak" jndi-name="infinispan/Keycloak">
<transport lock-timeout="500000"/>
<local-cache name="realms">
<eviction max-entries="10000" strategy="LRU"/>
</local-cache>
<local-cache name="users">
<eviction max-entries="10000" strategy="LRU"/>
</local-cache>
<distributed-cache name="sessions" mode="SYNC" owners="3"/>
<distributed-cache name="authenticationSessions" mode="SYNC"
owners="3"/>
<distributed-cache name="offlineSessions" mode="SYNC" owners="1"/>
<distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
<local-cache name="authorization">
<eviction max-entries="10000" strategy="LRU"/>
</local-cache>
<replicated-cache name="work" mode="SYNC"/>
<local-cache name="keys">
<eviction max-entries="1000" strategy="LRU"/>
<expiration max-idle="3600000"/>
</local-cache>
<distributed-cache name="actionTokens" mode="SYNC" owners="2">
<eviction max-entries="-1" strategy="NONE"/>
<expiration max-idle="-1" interval="300000"/>
</distributed-cache>
</cache-container>
...
<cache-container name="ejb" aliases="sfsb" default-cache="dist"
module="org.wildfly.clustering.ejb.infinispan">
<transport lock-timeout="300000"/>
<distributed-cache name="dist">
<locking isolation="REPEATABLE_READ"/>
<transaction mode="BATCH"/>
<file-store/>
</distributed-cache>
</cache-container>
</subsystem>
...
<protocol type="pbcast.NAKACK2">
<property name="use_mcast_xmit">false</property>
<property name="xmit_table_num_rows">200</property>
</protocol>
Hence do you have any idea why this is happing and how to update my
configuration to solve this issue?
--
*Damien Douteaux*
6 years, 4 months
Adding Customized Message after successful Login
by Murad Almomani
Dears,
I would like to add customized successful message after user successfully login to keycloak, how i can do this ?
and is there a way to make this message configurable by keycloak admin console ?
Thanks,
Murad Momani.
6 years, 4 months
