Keycloak Proxy Rename
by Bruno Oliveira
Good afternoon,
We are considering to transfer or fork the keycloak-proxy[1] to Keycloak
organization. In order to accomplish that, I've been working with Rohith
updating some of its dependencies[2].
While discussing with our team, we reached the conclusion that call it a
proxy could potentially increase the scope of the project and also give
people the wrong idea. Because would be expected things like load balancing,
rate limiting, and other features. That's not what we want right now.
I would like to gather some feedback from the community before we move forward.
So please vote on the following Doodle:
https://doodle.com/poll/gux626ktscgpr96t
Also, feel free to suggest other names and it will be included.
[1] - https://github.com/gambol99/keycloak-proxy
[2] - https://issues.jboss.org/browse/KEYCLOAK-7265
--
abstractj
6 years, 4 months
accessing client JWT token in token mapper when using signed JWT authenticator.
by Billiet Tom
Hi,
I'm currently trying to create a Mapper for a client that uses "Signed JWT" as the client authenticator. In the mapper I would like to access some fields from the JWT token that's used to authenticate the client.
I cannot figure out a way to do so. I've tried to create a custom mapper that extends AbstractOIDCProtocolMapper, but I don't seem to be able to access the client JWT token anywhere.
When digging somewhat deeper, I think the JWTClientAuthenticator (https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...) should expose this if I want to be able to use it later in a mapper. If the JsonWebToken would be stored on the userSession note object that would be possible.
But that would require a feature request to have this exposed. Is there another way to make this possible?
Thanks,
Tom
6 years, 4 months
Choosing authentication method on login page
by Nikola Malenic
I would like to let my users have a choice which authentication method to
use. For example, they could be presented with a menu to pick an option
(username/pass, username/pass+OTP, etc).
Then, Keycloak should, based on their choice, assign specific scope to the
token.
Is this possible to do with Keycloak (probably by somehow utilizing auth
methods chaining) and how? I couldn't find this in documentation but it
seems reasonable use-case to me.
Thanks in advance,
Nikola
6 years, 4 months
Keycloak master Docker image
by Stian Thorgersen
If you ever wanted to try something in Keycloak master without building it
yourself you can now use the jboss/keycloak:master tag. It is automatically
rebuilt every time there is a merge to master.
6 years, 4 months
Re: [keycloak-user] prompt=login does not override Kerberos
by Ryan Slominski
Hi Marek,
Reordering the Identity Provider Redirector execution such that it comes before the Kerberos SPNEGO execution actually does work on second look. I was running into caching and cross-site scripting issues. So the workaround for prompt=login being ignored by SPNEGO authenticator is to just reorder authenticator priority.
Ryan
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Ryan Slominski" <ryans(a)jlab.org>, "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Wednesday, August 22, 2018 2:52:28 AM
Subject: Re: [keycloak-user] prompt=login does not override Kerberos
On 21/08/18 20:43, Ryan Slominski wrote:
> My understanding is sending the parameter prompt=login to the Keycloak authentication URL should force the login form and re-authentication. However, if Kerberos SPNEGO is available it ignores this parameter and logs the user in without showing a login form. Is this a bug? I guess currently the prompt=login is only honored by the cookie execution in the browser flow?
Per OIDC specification, when using prompt=login, the server should
re-authenticate user. IMO Re-authentication doesn't strictly mean that
login form must be shown and all the authenticators, which don't have
any HTML form to display, must be ignored. So we just ignore the cookie
authenticator at this moment.
In the future, we plan to use "Authentication levels" and I think this
will allow to address your usecase better. For example you will create 2
authentication flows and based on the value of the "amr" parameter sent
from the adapter, the Keycloak will show the correct authentication
flow. So for example you can have one flow with Kerberos Authenticator
and one flow with IdentityProviderRedirector etc.
For now, maybe you will need to customize the source-code of
SpnegoAuthenticator (create your own provider subclass) to deal with the
prompt=login according your needs.
>
> Another possible bug: if you create a copy of the browser flow and swap the order of the Kerberos execution with the Identity Provider Redirector execution then Kerberos SPNEGO authentication won't work (fails with checksum error).
Sounds strange. Maybe this is a bug. Does it happen even if there are
not any "kc_idp_hint" parameter sent, so the IdentityProvider Redirector
doesn't do any redirection HTTP requests? If yes, looks like a bug to
me. Feel free to create JIRA.
Marek
>
> Combine both issues and it means you can not selectively force some users to use a particular identity broker while sending others to another. With the normal browser flow if a user has Kerberos SPNEGO credentials then they will ignore the kc_idp_hint parameter as the Kerberos execution comes before the IDP redirect. If you configure an alternative browser flow where the IDP redirect execution comes before the Kerberos execution then users without the kc_idp_hint who legitimately should login automatically via Kerberos SPNEGO will fail to do so because it appears having IDP redirect execution first breaks the SPNEGO process. Anyone else run into this?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
6 years, 4 months
Authorization services performance
by Ori Doolman
Hi,
We are using Policy Enforcer in Java client (JBOSS FUSE) to send the permission ticket to Keycloak PDP for evaluating a pre-configured Javascript policy rule.
We are using Keycloak version 2.5.5.
Is that evaluation in Keycloak PDP occur in-memory, or does it perform a DB access each time?
Thanks,
Ori Doolman
Lead Software Architect
Amdocs Optima
+972 9 778 6914 (office)
+972 50 9111442 (mobile)
[cid:image001.png@01D2C8DE.BFF33E10]
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
6 years, 4 months
How a end-user can delete his account
by Olivier Guilloux
Hello,
How a end-user can delete his account using the account page
(auth/realms/<...>/account/) ?
I have found the API "DELETE /{realm}/users/{id}" but the account page
doesn't have any delete account button ?
Regards,
--
Olivier GUILLOUX
6 years, 4 months
prompt=login does not override Kerberos
by Ryan Slominski
My understanding is sending the parameter prompt=login to the Keycloak authentication URL should force the login form and re-authentication. However, if Kerberos SPNEGO is available it ignores this parameter and logs the user in without showing a login form. Is this a bug? I guess currently the prompt=login is only honored by the cookie execution in the browser flow?
Another possible bug: if you create a copy of the browser flow and swap the order of the Kerberos execution with the Identity Provider Redirector execution then Kerberos SPNEGO authentication won't work (fails with checksum error).
Combine both issues and it means you can not selectively force some users to use a particular identity broker while sending others to another. With the normal browser flow if a user has Kerberos SPNEGO credentials then they will ignore the kc_idp_hint parameter as the Kerberos execution comes before the IDP redirect. If you configure an alternative browser flow where the IDP redirect execution comes before the Kerberos execution then users without the kc_idp_hint who legitimately should login automatically via Kerberos SPNEGO will fail to do so because it appears having IDP redirect execution first breaks the SPNEGO process. Anyone else run into this?
6 years, 4 months
Trying to use offline captcha on forgot password page
by Khyati Kataria
Hi,
I am new to keycloak. As per one of our requirements we need to have
something like offline captcha ( having no internet access) on forgot
password page. I am planning to add external jar file for captcha. Is
it possible or not ?Is anyone having same kind of thing ? Apart from
external jar is there any better way to add captcha without internet ?
Thanks,
Khyati
6 years, 4 months
Is Keycloak with a large number of clients or groups viable?
by DELBART Thierry
Hi all,
I'm contacting you to try to enlighten our conception worries.
We'll be using the latest Keycloak version.
Our users are linked to firms with different roles in each firm, basically founders and members. Potentially, there would be up to 100.000 firms registered (we hope so! :) ).
We envisioned two solutions:
- using groups: each firm is a group that includes a group for each roles, one of the group would be able to add users in the other groups (possible?)
- using clients: each firm is a client that has its specific roles, only users with role "founder" can grant the client's roles to other users (possible?)
At first we wanted to use Keycloak SPIs to manage that but we'll probably have to build our own back-office and use REST requests.
Which option would suite our case best?
Is there a limit for groups or clients in Keycloak?
And how would you handle application based roles? or is it better for each application to handle them internally?
Thanks,
Thierry.
6 years, 4 months
