OIDC biometrics authentication
by Ruslan Rusu
Hi here!
I'm new in this space, my sincere apologies if my language is ambiguous or
not precise.
What I'm trying to achieve:
Identify users with biometrics. Specifically the identification part from
png image => userId will be done by internal system. keycloak here will use
the
back channel(rest call) to communicate with internal identification system.
the happy path
will produce token and 401 otherwise.
Here is how I anticipate keycloak to be called :
require 'httparty'
require 'jwt'
require 'securerandom'
require 'base64'
result = HTTParty.post(
"http://......../auth/realms/face-idf/protocol/openid-connect/token",
:body => {
:grant_type => :password,
:client_id => "56a4acc2",
:client_secret => "ea539549",
:request => {
"imageFormat"=>"png",
"base64image"=> "R0lGODlbEh.....more...here...AAOw=="
}.to_json.to_s
},
:headers => { 'Accept' => "application/json" },
)
pp JSON.parse(result.body)
I tried 2 options and one succeeded so far.
option 1: extend Authenticator call inside authenticate()
this option implies that users are available in keycloak. in my case
keycloak is just fronting my real identity management system. I've tried
to return InMemoryUserAdapter but there is code down stream which goes
to cache and persistence and if it cannot be found then it blows with
unexpected AuthenticationExecption.
Workaround:
UserModel userModel = KeycloakModelUtils
.findUserByNameOrEmail(context.getSession(), context.getRealm(), memberId);
if(userModel == null){
userModel = context.getSession()
.userStorageManager().addUser(context.getRealm(), memberId);
userModel.setUsername(memberId);
userModel.setEnabled(true);
}
Status: Seems unnecessary but it works end to end.
option 2: extend PropertyFileUserStorageProvider call inside isValid()
this seems better fit for external identities. though could not
figure out from docs how do i get a custom UserCredentialModel
for biometrics. if i try to hijack grant_type=password and
username/password is missing then it fails before my isValid() gets
called.
Status: Could not get this to work
The documentation and code were very helpful to hit the ground running.
I understand my use case is not what keycloak does by default, but man,
I'm impressed what it can do.
I would not be surprised if I'm over thinking this :)
Have a couple questions:
0) is ruby above oauth/oidc compliant ? could not find anything on
oauth/oidc rfc or google
1) is grant_type => :password appropriate for external biometrics
identification
context ?
2) if I try federation how do I get access to biometrics from request ?
Any suggestion, hint, advice of how to enable keycloak to accept biometric
identification
requests is highly appreciated!
Thank you,
Ruslan
6 years, 3 months
How to configure Mutual SSL between Keycloak and Postgresql
by hugh shangguan
Hi there,
I was interested in Keycloak work on SSL client certs for JDBC to connect
PostgreSQL. I hope someone can give me some help.
First of all, I should mention that my client cert authentication is
working fine with psql in both 1-way and 2-way(mutual ssl) ssl
authentication. So I am satisfied with the certs and keys because I can use
psql connect keycloak server and postgresql server via mutual SSL. There
are two servers, one is keycloak server, another is postgresql server.
postgresql.crt
postgresql.key / postgresql.pk8
root.crt
Those files located in ${user.home}/.postgresql/ in my postgresql server.
In my PostgreSQL server, if I configure like this. (one-way SSL)
hostssl all all 0.0.0.0/0 md5
It is fine. My keycloak server will connect with my postgresql server very
well.
However when I configure like this. (Mutual SSL)
hostssl all all 0.0.0.0/0 md5 clientcert=1
The connection will fail. The log is below.
Caused by: java.lang.RuntimeException: Failed to connect to database
Caused by: java.sql.SQLException: javax.resource.ResourceException:
IJ000453: Unable to get managed connection for
java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ000453: Unable to get
managed connection for java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ031084: Unable to create
connection
Caused by: org.postgresql.util.PSQLException: FATAL: connection
requires a valid client certificate"}}
*"connection requires a valid client certificate".*
I don't know how to config the client certificate in
keycloak (standalone.xml). At the meantime, I still can use 'psql' connect
viamutual SSL to my postgresql server from my keycloak server.
Questions:
1. Does keycloak support mutual authentication ssl, when I try to connect
keycloak to postgresql in 2-way authentication? (I guess so because this is
about security. This should be JDBC's problem. But I am not sure. And I
trid the instructions form Postgresql JDBC Driver Doc.
https://jdbc.postgresql.org/documentation/head/ssl-client.html. It still
doesn't work.)
2. How to configure Keycloak to connect via mutual ssl between keycloak and
postgresql?
Thank you for your time!
Cheers!
--
Hugh
Zhaohui Shangguan
6 years, 3 months
"id_token_hint" support
by Balaji Balakrishnan
Hi,
Is id_token_hint supported for OIDC login? I am trying to emulate theauto login for an user interaction. This goes something like this. A usersign-up for a “thing”. The “thing” is provisioned and userid/pwd is autogenerated and mailed to user. At the same time a user (userid/pwd) is createdin keycloak as well. As soon as the “thing” is provisioned, user will be takento the home page without asking for credentials.
We enabled the “Direct Access Grants Enabled” atthe client level. We get a ID token using the auto generated userid/pwd using“password” grant. Then we use the generated Id Token as id_token_hint andinitiate the “code” grant login. I could see a session was created when the Idtoken was obtained but keycloak still shows me the Login screen.
Thanks
Balaji
6 years, 3 months
keycloak-js on Edge causes CORS issues
by Ryan Price
I am getting ready to roll out a new client app that uses keycloak-js, and
we're testing with BrowserStack on MS Edge.
Edge does not pick up the user's authentication on an init('check-sso') and
in the error console we see:
SEC7120: [CORS] the origin 'http://HOST.com' failed to allow a cross-origin
document resource at 'ms-appx-web://assets/errorpages/sslnavcancel.html#
https://KEYCLOAK-SERVER/auth/realms/REALM/protocol/openid-connect/login-s...
".
Since I am testing on development servers over browserstack there are lots
of self-signed SSL certificates and things that would not exist in
production, not sure if that's the case here or some policy that only
exists in Edge.
We can get this to work in other major browsers and platforms.
--
Ryan Price
Senior Web Application Developer
Red Hat
<https://www.redhat.com>
ryprice(a)redhat.com IM: @liberatr
<https://red.ht/sig>
6 years, 3 months
Re: [keycloak-user] redirect_uris in registration broken
by Matthias Kesternich
Hello again,
I think I might have found the bug by looking at the source code and my tokens.
I'm looking at this file: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o... . Especially lines 102 and 107.
The token from the verification mail contains this:
"asid": "f8deaf74-0ea9-4e0d-bc4d-70e9f4ed45ae.Jm9X3YfsiBg.bf56158d-3e48-4ece-bb17-48c5143204ee"
This contains the right client id ' bf56158d-3e48-4ece-bb17-48c5143204ee' (myclient).
When I open that link, the code in lines 78-93 is triggered creating yet another token with a compound session id. That token looks like this:
"oasid": "f8deaf74-0ea9-4e0d-bc4d-70e9f4ed45ae.Jm9X3YfsiBg.bf56158d-3e48-4ece-bb17-48c5143204ee",
"asid": "9449b12e-9364-43d9-a4ab-3f29e9fe1bdb.KbiccXfmQyE.453f147b-011f-4b40-a8c4-6bdac6eabc85"
"compoundOriginalAuthenticationSessionId": "f8deaf74-0ea9-4e0d-bc4d-70e9f4ed45ae.Jm9X3YfsiBg.bf56158d-3e48-4ece-bb17-48c5143204ee",
You can see the client id in 'oasid' is ' bf56158d-3e48-4ece-bb17-48c5143204ee' (myclient) while in 'asid' the client id '453f147b-011f-4b40-a8c4-6bdac6eabc85' points to the "account" client!
Now when I click the link with this token, lines 102-110 are triggered. There it checks whether the original authentication session id is present (is is) and then proceeds to the form with the *current* authSession. The current auth session will be taken from "asid" which features the wrong client "account"!
A potential fix might be to use the original authentication session in line 107 instead of the current one.
Is there anything I can do about this bug? Right now this means all users opening the mail in a new browser window/on a different device will be stuck on their accounts page and don't get back to the client they registered from.
Best,
-Matthias
Am 03.09.18, 18:30 schrieb "keycloak-user-bounces(a)lists.jboss.org im Auftrag von Matthias Kesternich" <keycloak-user-bounces(a)lists.jboss.org im Auftrag von matthias.kesternich(a)moneymeets.com>:
Hello,
if I perform the following steps, then the redirect_uris that are sent upon registration are just ignored:
1. Register user with redirect_uri=myapp
2. Receive the verification mail
3. Clear your browser cache or switch to another browser. This step is very important!
4. Open the link from the verification mail, see a tab open with the right redirect_uri in the url bar
5. Click the button.
6. Another registration verification tab opens which features redirect_uri=account
7. Click the button
8. Get redirected to the login form with redirect_uri = account
9. Login
10. Get redirect to the account page instead of myapp .
Is this expected behavior? I also noticed that if you clear your browser cache then keycloak will show an additional screen for verification of the e-mail address plus the login screen. If I don't clear the browser cache I only get one verification screen and I am then redirected to my application.
Should I file a bug report?
Best,
-Matthias
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6 years, 3 months
How to delete an federated identity?
by Eric Wittmann
Apicurio uses Keycloak to support Account Linking with GitHub, GitLab, and
Bitbucket. Creating a link works well, but deleting the link does not.
It's been awhile since I've checked for this functionality - but is there
an API call in KC 4.x that Apicurio can use to delete the linked account
for an authenticated user?
Previously I was trying to use this:
/auth/realms/apicurio/account/federated-identity-update?action=REMOVE&provider_id=gitlab
But I don't think this ever worked, and it's definitely returning a 404 now.
In a related followup question - in Keycloak 4.3.0 (most recent testing) if
I delete the linked account record in Apicurio, I cannot re-create it.
When I try, the result is a PK violation in the Keycloak database. I can
work around this problem only by logging into Keycloak and deleting the
"Identity Provider Link" in Manage->Users. The URL Apicurio uses when
initiating an account link is:
/auth/realms/apicurio/broker/gitlab/link?nonce=abc&hash=xyz&client_id=apicurio-studio&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fstudio%2Fsettings%2Faccounts%2FGitLab%2Fcreated
If the user already has an identity provider link for "gitlab" then the
result is:
Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key
violation: "PRIMARY_KEY_40 ON PUBLIC.FEDERATED_IDENTITY(IDENTITY_PROVIDER,
USER_ID) VALUES ('gitlab', 'c0e35a37-ad19-49d1-a030-42ac1a1b1dae', 3)"; SQL
statement:
insert into FEDERATED_IDENTITY (REALM_ID, TOKEN, FEDERATED_USER_ID,
FEDERATED_USERNAME, IDENTITY_PROVIDER, USER_ID) values (?, ?, ?, ?, ?, ?)
[23505-193]
at
org.h2.message.DbException.getJdbcSQLException(DbException.java:345)
at org.h2.message.DbException.get(DbException.java:179)
at org.h2.message.DbException.get(DbException.java:155)
at
org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:103)
at
org.h2.mvstore.db.MVSecondaryIndex.checkUnique(MVSecondaryIndex.java:231)
at org.h2.mvstore.db.MVSecondaryIndex.add(MVSecondaryIndex.java:190)
at org.h2.mvstore.db.MVTable.addRow(MVTable.java:704)
at org.h2.command.dml.Insert.insertRows(Insert.java:156)
at org.h2.command.dml.Insert.update(Insert.java:114)
at org.h2.command.CommandContainer.update(CommandContainer.java:98)
at org.h2.command.Command.executeUpdate(Command.java:258)
at
org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:160)
at
org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:146)
at
org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
at
org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)
... 82 more
Seeking help on both issues. I'm likely just doing the wrong thing. :)
6 years, 3 months
Cross Realm Administration
by Russell Davies
I've found a few list posts musing about cross realm administration but
nothing concrete to say whether or not it's possible. So what's the status
of it?
To give some background on my use case, I have three kinds of users: staff,
contract staff, and customers. It seems to me that a realm for each kind of
user is the best way to model this so that way groups, roles, and login
screens are specific for them. Certain staff users (admins or managers)
need to be able to manage the contract and customer users like master realm
admins can manage users in other realms.
So how is this done? Or if it's not possible then should I use the master
realm as the staff realm, or should I just have one realm and model it by
way of roles and groups (still the issue of different login screens then)?
6 years, 3 months
SAML Logout fails with: "Invalid query param signature"
by Luis Rodríguez Fernández
Hello there,
Using keycloak-saml-tomcat8-adapter-dist-4.2.1.Final, I always get
"org.keycloak.common.VerificationException: Invalid query param signature"
when the IdP sends the LogoutResponse.
I've compared the implementation of
AbstractSamlAuthenticationHandler.verifyRedirectBindingSignature [1] with a
custom one that I developed myself and the only differences are:
- The way on how the parameters are decoded. Me I use java.util.Base64
while keycloak use its own (org.keycloak.saml.common.util.Base64)
I am using the REDIRECT for the SingleLogoutService.responseBinding
Any thoughts on this?
Thanks in advance,
Luis
[1]
https://github.com/keycloak/keycloak/blob/79774d2f0730593d504072aaabb1b87...
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
6 years, 3 months
redirect_uris in registration broken
by Matthias Kesternich
Hello,
if I perform the following steps, then the redirect_uris that are sent upon registration are just ignored:
1. Register user with redirect_uri=myapp
2. Receive the verification mail
3. Clear your browser cache or switch to another browser. This step is very important!
4. Open the link from the verification mail, see a tab open with the right redirect_uri in the url bar
5. Click the button.
6. Another registration verification tab opens which features redirect_uri=account
7. Click the button
8. Get redirected to the login form with redirect_uri = account
9. Login
10. Get redirect to the account page instead of myapp .
Is this expected behavior? I also noticed that if you clear your browser cache then keycloak will show an additional screen for verification of the e-mail address plus the login screen. If I don't clear the browser cache I only get one verification screen and I am then redirected to my application.
Should I file a bug report?
Best,
-Matthias
6 years, 3 months
