(no subject)
by Fluffy Mark Garces
I would like to have a confirmation and consultant for the usage of
keycloak platform, I am new to this field and I havd been assigned to
provide an SSO solution for our project, after a bunch of research, I
decided to go to this platform hoping to solve the wanted feature:
+ goal: provide SSO solution to various SPs and/or IDPs (like our app can
be plugged in any existing IDP with multiple SP)
+ our application: "App A" would like to be an SP only… and can be proved
to integrate to other IDPs or SPs.
+ protocol to be used: SAML
I just want to know if this can be done with this platform.. any advice or
recommendations can be helpful, I would also like if possible to consult to
some of you guys privately, I hope.
Please help, I am just new to this and need people like you to guide me,
Thanks in advance
6 years
Authorization : Scope cannot be added to multiple permission
by Bruce Wings
(The configuration discussed below is done under the Authorization tab)
I have created Authorization Scope. When I create 2 scope based permissions
: *Perm1 and Perm2 *and add this scope to both, *no error is shown and
scope is successfully added.*
But when I look at the scopes at my client end, I see that only 1
permission has that scope. (scope gets reflected in whichever permission is
added at the end. It gets disappeared from previous permission). Is this
the intended behavior?
The way I checked the scopes is by intercepting request and obtaining
permission list in my Java client.
*KeycloakSecurityContext keycloakSecurityContext =
(KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName());*
*AuthorizationContext authzContext =
keycloakSecurityContext.getAuthorizationContext();*
*List<Permission> permList = (authzContext==null) ? null :
authzContext.getPermissions();*
*for(Permission perm : permList) {*
* Set<String> scopeList = perm.getScopes();*
* // other stuff*
*}*
6 years
Refreshing ID token and sliding session
by Olga Bon
I am studying Keycloak and related protocols OpenID & OAuth2. Everything is
clear except one thing, how to maintain the sliding session for a logged in
user. Maybe I misunderstand something.
1. Authorization Flow first of all redirects a user to the keycloak
login page, after successful login the user is redirected to the redirect
url with the authorization code.
2. Using this authorization code, a server side application connects to
the keycloak server and exchanges the code for the Access token (also
including client id, secret, etc) and ID token.
3. Access token is used by the server side application itself in order
to retrieve details from the keycloak server, like user additional info,
public key, etc. So the Access token is used by applications only.
4. The server side applications set a cookie with the received ID token.
Now user can access protected resources.
All in all we have
1. Access token stored on the server side and used only by applications
or services to retrieve additional info from Keycloak.
2. Refresh token stored on the server side and used only by application
or services to get new Access token
3. ID token stored in the user's cookies and used to access protected
resources of the system.
My question is, how can the ID token be refreshed. Consider the following
case, a user is logged in and doing some actions in the system, but
suddenly toke got expired. How this case should be handled? I have
implemented my own flow called the Sliding session, so the token gets
refreshed if any request is made, however I don't know how to handle this
case with Keycloak.
I would be grateful for any help regarding the matter.
6 years
Keycloak with volume Mount
by Lahari Guntha
Hi All,
I have launched keycloak as a container in a Virtual Machine. I have created Realms and configured clients to have SSO enabled for them.
For some reason I got to restart the Docker in the VM in which I have this keycloak container. When I restarted docker service all the Configuration that was made earlier like the clients that I have configured are lost.
Can we make it persistent? Can we have any mount point so that we can save the data onto host and then bring up the container with the mount point?
Thanks and Regards,
Lahari G
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
6 years
Change target after password change?
by Craig Setera
Our current application uses PWM for password management tasks. We use
their activation flow to set a password and also the forgotten password
flow to change the password. In each of those cases, it is possible to
specify the page to redirect to once the flow has been completed. This is
used by us to redirect them back to our application. Is there anything
similar for Keycloak? Right now, it seems like all of these flows end up
in the account management interface.
Thanks,
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
6 years
Authorization of action in application (client of KC)
by Nikola Malenic
I have an use case where I have to authorize an action in my application
taken by the user. Here is how it should go:
The user is logged in at KC and using my application. Now, my application
would need to authorize one user action by sending the user to KC, where he
would enter his OTP, and then, my application would get some kind of proof
that user authorized the action (I don't know what should that be, yet).
Do you have any idea how this could be achieved using KC? I guess action SPI
would somehow be used.
Thank you in advance,
Nikola
6 years
Re: [keycloak-user] SSL connection to Keycloak Server
by Luis Rodríguez Fernández
Hello Kunal,
It looks like you have to update the "Valid Redirect URIs" field in your
client application, see [1].
Hope it helps,
Luis
[1] https://www.keycloak.org/docs/latest/server_admin/index.html#_clients
El mié., 2 ene. 2019 a las 11:28, Kunal Kumar (<wolfbro92(a)gmail.com>)
escribió:
> Hi Luis,
>
> I am trying to configure SSL for Keycloak. I have already followed all the
> steps, configurations in standalone.xml, and also creating and authorizing
> the necessary certificates as well. But when connecting to my web app, it
> has this particular error as in the attached file
>
> Are you familiar with this error?
>
> Regards,
> Kunal
>
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
6 years
rest api to get resource permission evalauted
by Suresh Mali
I have created resources via api for a users {kc-host}:{kc-port}/auth/realms/{realm}/authz/protection/resource_set/
I have created policy which decides based on the relation between the resource owner and identity user
like thisvar identity_user = $evaluation.context.identity.id;var resource_owner = $evaluation.permission.resource.getOwner();
var identity_user_attrs = $evaluation.realm.getUserAttributes(resource_owner) ;var allowed_agents = identity_user_attrs.allowed_agents ;if ( resource_owner == identity_user ){ $evaluation.grant(); }else if (allowed_agents !== null && allowed_agents[0].indexOf(identity_user) > -1 ) { $evaluation.grant();}
else { $evaluation.deny();}
I am able to evaluate the permission for various users & (agent users) on keycloak admin console in realm->client->autherization->evaluation tab It is evaluating properly
How can I get same permission/ deny from a rest api so that I can call from my client on behalf of identity user with identity users access token as autherization (or other method or autherization)
either simple permitted/deny or "permissions": [ { "scopes": [ "read" ], "rsid": "e1617f7c-dffe-42c9-b91f-476e8a810c4a", "rsname": "kyc1" } ]
kind of output is required
I tried {kc-host}:{kc-port}/auth/realms/{realm}//authz/protection/permission
I get opaque permission ticket, how can I decode this?
thank you Suresh
6 years
[Api][Configuration]Create user from API rest : 401 Unauthorized
by Gwenael Perier
Hi everybody,
I tried to create a user from the rest API :
I've got my token from my client :
curl -X POST "
https://mykeycloak.io/auth/realms/myrealkm/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_secret=xxxxxxxxxxxxxx" \
-d 'grant_type=client_credentials' \
-d 'client_id=myclient-openid'
and i tried to create an user :
curl -X POST
'https://mykeycloak.io/auth/admin/realms/site5.bayardev.com/users' -H
'Authorization: Bearer MYACCESSTOKEN" -H 'Content-Type: application/json'
-d
'{"username":"cjbarker5","enabled":true,"emailVerified":false,"firstName":"CJ","lastName":"Barker","credentials":{"type":"password","value":"newPas1*","temporary":false}}'
-v
And i get only : HTTP/1.1 401 Unauthorized
I tried to configure my client with roles (manage-users) Full Scope is
Allowed.
I don't know what to do for add the possibility to my client to add user in
keycloak.
Thanks for any advice.
6 years
