Common Client among multiple Realm
by Hariprasad N
Hi All,
Can I have common client among multiple realms.
As per our product requirement we have to maintain multiple Tenants hence
multiple Realms, each Realm should have client with id 'enliven-ui' and
same client configuration.
The problem with this approach is when ever there is change in client
config.
examples:
1. Root URL is changed,
2. Redirect URL changed,
3. In Authorization I want to add new Resource/Policy/Permission/Scope.
Then I have to go admin console, then go to each individual realm and
select client 'enliven-ui' do the require changes or using admin REST API
do changes in each Realm programatically. Instead of this can I have common
client.
--
Thanks & Regards,
Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore – 560001, Karnataka, India.
Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>
6 years, 10 months
keycloak helm chart SSL configuration
by Leigh Kennedy
Hi,
I have been using keycloak for a while via the helm chart. IT has been working find using http. However I am trying to get it to use a certificate. I have struggled to find any clear documentation on how to do this. This is what I have at the moment (you can see commented out a few things I have tried.
keycloak:
username: test
password: xxx
service:
nodePort: 32666
type: NodePort
persistence:
deployPostgres: false
dbVendor: postgres
dbName: keycloak
dbHost: qmi-minikube.local.net
dbPort: 5432
dbUser: test
dbPassword: xxx
#extraEnv: |
# - name: PROXY_ADDRESS_FORWARDING
# value: "true"
ingress:
enabled: true
# annotations:
#kubernetes.io/ingress.global-static-ip-name: "keycloak-static-ip"
# kubernetes.io/ingress.allow-http: "false"
# ingress.kubernetes.io/ssl-redirect: "true"
path: /auth
hosts:
- keycloak.elastic.example
tls:
- hosts:
- keycloak.elastic.example
secretName: elastic-example-tls
Can anyone see what I am doing wrong here? I know my certificate is ok as I use it in another nginx ingress config (not running while this one is) and It works fine.
Thanks.
Leigh Kennedy
6 years, 10 months
No Default theme - Null Pointer Exception
by Cono D'Elia
Hi All:
My use case was to automatically direct the user to a custom theme
depending on the device they are using e.g: native mobile vs other. The
theme selector will make a decision based on User Agent and direct the
end-user accordingly.
I created a theme selector based on the source code snippets provided from
https://www.keycloak.org/docs/latest/server_development/index.html#_provi....
I basically did a copy and paste. I was able to deploy the theme and it
appeared in the Provider's tab in the Admin console. I copied the base
theme as 'my-theme'. When I restart the Keycloak server it fails to start
throwing an NPE indicating that there is No Default theme.
I was wondering if I needed any other code or configuration that is not
stated in that particular section to get this going? I couldn't find a
working sample online, so if I can be directed to one that would be great.
Thanks a bunch!
Chuck.
6 years, 10 months
Can't request resource permissions by resource name by service account client and not user
by Or Harary
Hey,
I'm using version 4.8.1 and i'm trying to check resource permissions on
another client with the token endpoint, by the resource name, with a
client's access token, and i'm getting "Resource with id [{resourceId}]
does not exist".
I have a service account client "foobarservice". I want this service
account client, to check his permissions on a "foobaresource" resource from
another client "otherservice".
myrealm
-- "foobarservice" Service Account Client
-- -- foobar resource (with always grant policy and permission)
-- "otherservice" Service Account Client
I did "client_credentials" login with the "foobarservice" and got an
access_token. With that token, I tried:
curl -X POST
http://keyclok:8080/auth/realms/myrealm/protocol/openid-connect/token \
-H "Authorization: Bearer {foobarservice_access_token}" \
-H "Content-Type: application/x-www-form-urlencoded" \
--data
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=otherservice&permission=foobaresource&response_mode=permissions"
And got 400 bad request with the not found error.
When i'm doing the same request with some user's token, it works well.
I looked into the code (my knowledge of JAVA is very basic) and it seems to
be because of this:
https://github.com/keycloak/keycloak/blob/f4f68438870768ac6cc18012cfae278...
Is this the expected behavior? or a bug? Because when I used version 3.4 it
did work
Thanks,
Or
6 years, 10 months
getting resource owner and loggedin (identity) user attributes in evaluation context
by Suresh Mali
Each user has one or more resource e.g. 'account'
Each user is assigned one or more agents. (agent is different user in the system with role agent)
I have added them in user attributes e.g let us say there is user_a who has account resource
there are users with agent roles say 'agent_a', 'agent_b', 'agent_c'
In user_a is attribute I have added attribute
allowed_agents = [ 'agent_a' ,'agent_b']
in agent_a & agent_b have attibutes
allowed_users = ['user_a'] Now in policy evaluation I want to ensure when agent_a & agent_b try to access resource owned by user_a they are allowed while agent_c is not allowed
how do I access resource owners attributes and or identity ownes attributes
I want to write a evaluation like something like this
is it possible to get $permission.resource.owner.attributes["allowed_agent"]to return ['agent_a','agent_b']or $identity.attributes['allowed_users'] to return ['user_a'] so that I can evaluate the match
something like beowrule "Authorize Resource Owner"
dialect "mvel"
when
$evaluation : Evaluation(
$identity: context.identity,
$permission: permission,
$permission.resource.owner.attribute['allowed_agents'].indexOf($identity.id)
)
then
$evaluation.grant();
end
6 years, 10 months
Mapping in additional user roles
by Tom Barber
Hi folks,
This may have a simple answer in which case I apologise.
I’ve been tasked with fronting some web apps with Keycloak connected via
SAML to AD FS as the ID provider.
I found this
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html so
planned to do similar.
The next issue I face is that the AD FS service is hosted by a different
entity and we don’t have the ability to change yet we need to map roles in.
What extension points are there available to us in Keycloak that allows a
user to login but then have us assign roles by looking them up in a
*different* AD server and pulling their roles from there?
Thanks
Tom
--
Spicule Limited is registered in England & Wales. Company Number:
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements
are subject to Spicule Terms and Conditions of Business. This email and its
contents are intended solely for the individual to whom it is addressed and
may contain information that is confidential, privileged or otherwise
protected from disclosure, distributing or copying. Any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Spicule Limited. The company accepts no
liability for any damage caused by any virus transmitted by this email. If
you have received this message in error, please notify us immediately by
reply email before deleting it from your system. Service of legal notice
cannot be effected on Spicule Limited by email.
6 years, 10 months
Realm Custom Attributes
by Hariprasad N
Hi All,
Can we add realm level custom attributes.
--
Thanks & Regards,
Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore – 560001, Karnataka, India.
Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>
6 years, 10 months
Conflicting scopes in permissions always gets deny, maybe this should be configurable?
by Or Harary
Hey,
Let's say I want to allow creating custom roles with custom permission on
scopes (to allow access to multiple resource types and actions). So per
role, I wanted to create a matching permission with the allowed scopes
(resource-type-foo-create/resource-type-bar-create/etc..) and policies
accordingly (role/client/user/group).
So if I have:
Role A
Allowed: foo-create, foo-read, bar-read
Role B
Allowed: foo-read, bar-read
Because they have conflicting scopes, foo-read always gets denied. So as I
see, it can't be done this way. Maybe there should be a Decision Strategy
to permissions evaluation like in a single permission with policies?
Thanks,
Or
6 years, 10 months
Fwd: Multi-tiered Permissions
by Warren, Scott
Hi,
I need some input on the best way to solve authorization for a retail chain
scenario. Here's the scenario:
A retailer has 10,000 stores and 30,000 users
While each user has a primary store, they can work in other stores in their
region
At his/her primary store UserA (clerk) has the following scopes: POS,
DailyCloseout
For secondary stores, a UserA has only the POS scope
While there are many more scopes, and user roles, the problem to solve is
this multi-tiered permissions structure. UserA's permissions depend on the
store context.
I've set up stores as resources (of type "store"), each resource has a
storeNbr attribute
I've set up scopes of POS, DailyCloseout, SalesReports, etc.
I'm struggling with a clean way to tie a user to his/her "storeX" : [
"scopeA", "scopeB", "scopeC"]. I put this structure in as a user attribute,
and after mapping it, got it working with a javascript policy
but that's a maintenance nightmare at best.
I can set up roles with names like <storeNbr>.<scopeA>. It's better than
the user attribute route, but still feels like a hack.
I'm guessing I could write a Drools policy that could, using the identity
from the context, read from a database that contains this structure. BUT
this provider is in tech preview / not supported, so I'm not excited about
this route.
Lastly, I guess I could write a custom policy provider.
These last two require me to maintain a separate database (and app to
maintain it), so I'm not thrilled with either of them.
So, what have I missed? Is there an elegant way to solve this?
Thanks for your help!
Scott
--
Scott G. Warren
SUM Global Technology
swarren(a)sumglobal.com
678.469.3455
6 years, 10 months
