Multi-tenancy with groups
by Wyns Dean
Hi there
A client of ours requires multi-tenancy (multiple customers) but without isolation of users. In others words, one user can be linked to multiple customers. A user with the permission to do so, should be able to manage their customer's users.
For this client we created a realm to completely isolate it. So we would use groups to implement the customers below our client.
Is creating a group per customer the best way to implement this? And then restrict the user management by using the fine-grained permissions built into the Keycloak admin console?
Or is there another better way?
Thanks
Dean
6 years, 2 months
Problem with Spring WEB application using Keycloak + Spring Security Adapter in Multi Tenancy mode
by Mattia Bello
Hello,
I am trying to configure a Spring WEB application using Keycloak + Spring Security Adapter in Multi Tenancy mode but i encountered some problems.
I followed the instuctions of the Keycloak documentation (https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_sec... and https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy)
I created a simple web application (SpringSecurity_HelloWorld) with two pages, one public page (hello.jsp) and a protected one (admin.jsp).
To implementy the Multi tenancy, I created the PathBasedKeycloakConfigResolver java class and I changed the spring-security.xml file as requested to link this class to the Spring context.
The .zip from follow Google Drive Link contains a copy of the test project:
https://drive.google.com/file/d/1YH2phrXlx9yc1vexXkNCMKoOnDBEmBI2/view?us...
This is what happens when the app is running:
Accessing url localhost:8080/SpringSecurity_HelloWorld/{realm}/admin, (i.e. the protected page) the following steps are executed:
1 As expected, the method resolve(..) of my PathBasedKeycloakConfigResolver class is called, and my code correctly extracts the {realm} from the url, creates the corresponding KeycloakDeployment
object, returning it to the caller
2 The browser receives a redirect (HTTP 302) to the location localhost:8080/SpringSecurity_HelloWorld/sso/login and executes the redirect
3 The method resolve(..) of PathBasedKeycloakConfigResolve is called again with the url localhost:8080/SpringSecurity_HelloWorld/sso/login as argument. This is very surprising to me because
this url doesn't contains the {realm} part and I am wondering how the method resolve() could cope with this. It is supposed to return the KeycloakDeployment object corresponding to the requast realm
but this is not possible now.
For what I understand from documentation the second call to the resolve() method is just wrong .... why the the {realm} is missing ?
I suspect there is some configuratione error in my project but I can't find anything wrong.
Thanks to all
Mattia Bello
Developer
[Descrizione: cid:image001.jpg@01CEB308.188717E0]
Horsa S.p.A.
Via Cadorna, 67
Vimodrone (MI)
Mobile (+39) 347 37 64 875
www.horsa.it<http://www.horsa.it/>
6 years, 2 months
Custom Identity Brokering and First login flow: prevent username edition?
by Rémy Grünblatt
Hi,
I'm using a custom IDP and I have some trouble during the first login
flow, it redirects to a "Update Account Information" page (this is
fine), but you can edit the username in this. How to prevent this
behaviour? As the usernames are provided by the third party, I don't
want people to be able to change them.
Thanks,
Rémy
6 years, 2 months
Read client config at boot time?
by kaeff
Hi folks,
we’re using the jboss/keycloak docker container for local integration testing for an app that’s secured by keycloak. For that, we’re setting up users upon creating the stack through docker-compose.
While we can set up users using environment variables / by means of `add-users-keycloak.json`, we need to use the rest api (i.e. `kcadm.sh create clients` ) to configure a client. Since it requires a running server, we currently can’t do this as part of the docker-compose stack.
Is there a way, or what’s the best way, to pre-load a keycloak instance with a client configuration? Like `add-users-keycloak.json`, but for clients?
6 years, 2 months
Keycloak Clients Access Restriction
by Alexis Reclus
Hey,
I am authenticating users of different web applications using Keycloak (with an Open ID Connect Identity Provider).
The architecture is the following:
- 1 realm
- Different clients (client A, client B) in the realm, each client corresponding to a web application.
- Users (user 1, user 2, user 3)
I want to create different groups of users (group A = user1 & user3 and group B = user1 & user2) and each group can access specific clients but can’t access the other clients (group 1 can’t access to web application in client B).
I tried to implement scopes, roles, groups but I am not sure this is the good way.
How can I realize this in using Keycloak configurations?
Best regards,
6 years, 2 months
Token Exchange First Login
by Graham Burgess
I am having a problem where when I hit Keycloak up for a token exchange from an external IdP token to a Keycloak token, the first login response the access_token JWT does not content the custom attributes that are added to the newly created account. However, subsequent calls for a token exchange, the access_token JWT does contain the custom attributes that I mapped in the client as well as in the profile client scope. The mappers for the custom attribute I am primarily interested in have "Add to access token" and "Add to ID token" enabled.
I believe I am just being blind as to where I need to map it for first login so any pointers would be appreciated.
Best regards,
Graham Burgess
RΛZΞR|stormmore
Sr. DevOps Engineer (USA)
Email: graham.burgess(a)razer.com
DID: (415) 374 0639
[http://assets.razerzone.com/email/email-sig.jpg]
Razer.com<https://www.razer.com/> | Razer Game Store<https://gamestore.razer.com/> | Razer Insider<https://insider.razer.com/> | Razer zVault<https://zvault.razer.com/>
[https://upload.wikimedia.org/wikipedia/commons/thumb/c/c2/F_icon.svg/200p...]<https://www.facebook.com/Razer> [Twitter_Social_Icon_Rounded_Square_Color] <https://twitter.com/Razer> [glyph-logo_May2016] <https://www.instagram.com/razer/> [youtube_social_squircle_red] <https://www.youtube.com/Razer?sub_confirmation=1>
Razer Inc. (San Francisco)
201 3rd Street, Suite 900
San Francisco CA 94103, USA
Tel: +1 (415) 266 5300
Razer Inc. Stock Code: 1337.HK
IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems.
6 years, 2 months
Feature freeze for 4.x
by Stian Thorgersen
We are nearing the completion of 4.x and are entering into a feature
freeze.
We will try to get through the current backlog of PRs, please be proactive
and answer any feedback we give on GitHub.
Anyone that wants to contribute additional features and enhancements to 4.x
should do so very soon, otherwise we are most likely not able to accept
until we start on 5.x.
>From November and most likely until end of January the team will focus on
bug fixing, automation and improvements to our testsuite. In this period
I'm afraid we are not able to accept new features or enhancements, but
please do send contributions regardless. We will review and add it to the
queue for things to be merged once we can open up the gates again.
I'm hoping that in the future with the effort we put in now on automation
and testsuite improvements we will not have to have such lengthy yearly
features freezes. Next time around we should be talking about weeks not
months.
As a final note thanks to everyone that has contributed to Keycloak. Be it
in the form of code, documentation or simply answering questions on the
mailing list. The community is what it is all about and we are very prod to
have such a great community around Keycloak.
6 years, 2 months
is it must to use keycloak server
by vandana thota
Can we use just keycloak-saml adapater on wildfly server . And have
other IDP ( not keycloak ) for SSO configuration for the app deployed on
wildfly ?
or is it must to use the keycloak server ( as SP / IDP ) ?
6 years, 2 months
Uncaught server error: org.keycloak.models.ModelException: Could not find UserStorageProviderFactory
by Joy Kent
We recently noticed an exception in our keycloak 3.3.4 3-node cluster
running in standalone HA mode:
ESC[0mESC[31m14:10:28,640 ERROR
[org.keycloak.services.error.KeycloakErrorHandler] (default task-25)
Uncaught server error: org.keycloak.models.ModelException: Could not find
UserStorageProviderFactory for: MyUserStorage
at
org.keycloak.storage.UserStorageManager.getStorageProvider(UserStorageManager.java:164)
at
org.keycloak.storage.UserStorageManager.getUserById(UserStorageManager.java:370)
at
org.keycloak.storage.UserStorageManager.getUserByFederatedIdentity(UserStorageManager.java:422)
at
org.keycloak.models.cache.infinispan.UserCacheSession.getUserByFederatedIdentity(UserCacheSession.java:504)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.importUserFromExternalIdentity(TokenEndpoint.java:894)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.exchangeExternalToken(TokenEndpoint.java:857)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:644)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:180)
at sun.reflect.GeneratedMethodAccessor531.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
.....
Our UserStorageProvider was constructed based on the
`EjbExampleUserStorageProvider` as described here:
https://www.keycloak.org/docs/3.3/server_development/topics/providers.html,
except for the following. The `EjbExampleUserStorageProvider` has these
annotations:
@Stateful
> @Local(EjbExampleUserStorageProvider.class)
> public class EjbExampleUserStorageProvider implements UserStorageProvider,
While our UserStorageProvider has these annotations:
@Stateful(passivationCapable=false)
> @Local(MyUserStorageProvider.class)
> public class MyUserStorageProvider implements UserStorageProvider,
The `(passivationCapable=false)` was added to bypass an exception we hit
when running this in HA mode. It was suggested by this thread:
http://lists.jboss.org/pipermail/keycloak-user/2018-March/013442.html.
There is a corresponding MyUserStorageProviderFactory class for this new
MyUserStorageProvider.
Things worked out fine until recently. From the stack trace above, it seems
like the new MyUserStorageProviderFactory was removed from
keycloakSession's keycloakSessionFactory.
Does anyone know what might cause this?
Thanks,
Joy
6 years, 2 months
