OIDC login URLs, how to hide them from the user??
by Max Allan
Hi,
When a user hits a (Keycloak gatekeeper) protected site, they get
redirected to the keycloak server login page, a URL like this :
https://auth.website.org.uk/auth/realms/saturn/protocol/openid-connect/au...
So, a typical new user journey looks like "type in https colon slash *which
slash was it? oh that one* and another slash ww dot website dot com *oops
no, www and dot org dot uk ENTER"
*I don't want to type _that_ in again : Click Bookmark button QUICK*
So they've now bookmarked a login page that includes a state of 7103....
The session they have works and if they don't use their bookmark, it works.
If they come back to it later, and use the bookmark, get asked to login and
then get a "403 authorisation denied" error.
The gatekeeper logs say :
1.5481603986412873e+09 error State parameter mismatch
1.5481603986665585e+09 error unable to exchange code for access token {"error":
"invalid_grant: Incorrect redirect_uri"}
So, how can I make this user journey easier with keycloak?
Ideally I'd like to hide the auth urls completely, their browser doesn't
need to know they're authenticating on different site.
I tried a "sign-in-page" with a frame containing the login page from
keycloak :
<html>
<frameset cols="100%">
<frame src="{{ .redirect }}">
</frameset>
</html>
(and change the security settings for frame-ancestors )
And when you've logged in, you get an empty page with a 403 error.
Gatekeeper says "unable to exchange code for access token {"error":
"invalid_grant: Incorrect redirect_uri"}" again.
Keycloak says :
type=CODE_TO_TOKEN_ERROR, realmId=86979f4f-7314-4fb6-86bc-3516fcb0c3ae,
clientId=alb, userId=01cf3b8f-498e-46b8-815e-6a9a5c2dda1c,
ipAddress=180.430.597.666, error=invalid_code,
grant_type=authorization_code,
code_id=02221f30-faa5-48ad-aae6-a5adec6a705a,
client_auth_method=client-secret
(ip address etc. has been obfuscated)
IF the user is clever, they can then remove
the oauth/authorize?state=ba4fcb0d-6ecf-4afe-8b98-e0fbcbc4ca25 from the URL
in the browser and the session carries on quite happily.
Is there a setting I'm getting wrong in keycloak somewhere that is breaking
this?
In this first instance, we are returning to an old "state". I can imagine
that not working.
But the second setup, I'm just logging in to keycloak, in a frame, nothing
else has changed from a "working" setup, just the login page is in a frame.
(I also need to figure out how to escape the frame!!)
Thanks,
Max
6 years, 9 months
Gatekeeper docker configuration question
by Dimitris Charlaftis
Hello,
I use the following gatekeeper docker image
https://hub.docker.com/r/keycloak/keycloak-gatekeeper/
In the gatekeeper-config.yaml file
---
client-id: test_app
client-secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
discovery-url: http://dev.server:8202/auth/realms/internal_applications
listen: 127.0.0.1:3000
secure-cookie: false
enable-default-deny: false
redirection-url: http://site.gr
upstream-url: 127.0.0.1:80
resources:
- uri: /*
white-listed: true
---
(keycloak server runs at http://dev.server:8202)
I run the gatekeeper container as following
docker run --name=keycloak_gatekeeper --rm -it -v
/home/dharlaftis/docker/gatekeeper:/tmp -p 8213:3000
keycloak/keycloak-gatekeeper --config /tmp/gatekeeper-config.yaml
As i have a port mapping 8213:3000, i expect the following sxcenatio
1. I hit the host machine through http at 8213 port http://dev.server:8213
2. will end up to the listening interface 127.0.0.1:3000 of the gatekeeper
which in turn
3. will redirect the request to http://site.gr
correct?
none of the above happens... when i hit http://dev.server:8213 nothing
happens (site unavailable).
Also, what is the difference between redirection-url and upstream-url?
How is this configured?
Thank you in advance!!! please help...
Dimitris
--
_____________________________
Dimitris Charlaftis
Software Engineer
National Documentation Center
email: dharlaftis(a)ekt.gr
_____________________________
6 years, 9 months
User federation via AD/LDAP - how to handle deleted users?
by Thomas Darimont
Hello,
currently, Keycloak (up to 4.8.2) does not handle the case where a user is
deleted in the federated user-store when the built-in LDAP / AD federation
provider is used.
The relevant code is located within the LDAPStorageProviderFactory:
https://github.com/keycloak/keycloak/blob/c4a46a5591471893db8428a5707c2d9...
There is a TODO which reads:
// TODO: Remove all existing Keycloak users, which have federation links,
but are not in LDAP. Perhaps don't check users, which were just added or
updated during this sync?
I wonder what would be the right thing to do in this case..
If the federated user-store dictates the truth, then IMHO the right thing
to do would be to also delete the user that is associated with the
user-storage provider federation link in Keycloak, if the linked AD / LDAP
user was deleted.
How do you handle this situation in your systems?
Cheers,
Thomas
6 years, 9 months
Re: [keycloak-user] Shared datastore?
by Sebastian Laskawiec
Yes, I think that could be case, I see a plenty of places where we
use SKIP_CACHE_STORE.
Let me ask Marek for help here since it has been implemented long before I
joined the team and I don't know the history behind it...
On Thu, Nov 8, 2018 at 8:48 PM William Burns <wburns(a)redhat.com> wrote:
>
>
> ----- Original Message -----
> > From: "Sebastian Laskawiec" <slaskawi(a)redhat.com>
> > To: "Nicolas Ocquidant" <nocquidant(a)gmail.com>
> > Cc: keycloak-user(a)lists.jboss.org, "Will Burns Rosenquist Burns" <
> wburns(a)redhat.com>
> > Sent: Thursday, November 8, 2018 12:33:47 PM
> > Subject: Re: [keycloak-user] Shared datastore?
> >
> > So I think there are at least two ways to address this problem. This
> first
> > one is to use Offline Tokens [1]. I'm not sure if that fits into your
> > application since it requires your client applications to store the
> token.
> > In other words you can simply delegate this problem one layer below in
> your
> > system.
> >
> > If that doesn't work for you, yes passivation is a way to go. Frankly, I
> > haven't used passivation but from the manual I see it works hand in hand
> > with eviction [2][3]. Will (on CC) can probably correct me here, but my
> > understanding is that whenever an entry gets evicted, the passivation
> > mechanism picks it up and stores somewhere.
>
> It does and it works, the problem is that passivation doesn't play well
> with shared stores in Infinispan. We prevent this configuration in 9.4 or
> newer even.
>
> I recommended that Nicolas just use eviction and a shared store without
> passivation. However it seems that entries are not written to the store in
> this configuration. My guess is that KeyCloak performs write operations
> with the SKIP_CACHE_STORE flag and assumes entries will only be written to
> the store due to passivation. Is there a reason for that?
>
> >
> > [1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html
> > [2]
> >
> http://infinispan.org/docs/stable/user_guide/user_guide.html#cache_passiv...
> > [3]
> >
> https://github.com/infinispan/infinispan/blob/master/core/src/test/java/o...
> >
> > On Thu, Nov 8, 2018 at 5:40 PM Nicolas Ocquidant <nocquidant(a)gmail.com>
> > wrote:
> >
> > > My requirements are the following: store tokens emitted by KC during
> one
> > > year.
> > >
> > > I don't know how many users there are, but here are the number I get:
> > > * the number of connections a week is about 700k.
> > > * the number of session refresh a week is about 200k.
> > >
> > > I approximated around 1M of sessions a week, thus 52M a year.
> > > In memory, a user session has been estimated around 4KB (about 1KB in
> > > file/DB).
> > >
> > > But I guess a refresh does not create another session isn't it? And
> maybe
> > > it's possible to ask KC to delete previous emitted tokens when a new
> one is
> > > created for a same user?
> > >
> > > If yes, my estimation is probably a little bit too high here, but I
> > > certainly have several millions of tokens to keep (and maybe dozens of
> > > millions).
> > >
> > > Thanks
> > > --nick
> > >
> > > Le mer. 7 nov. 2018 à 18:17, Nicolas Ocquidant <nocquidant(a)gmail.com>
> a
> > > écrit :
> > >
> > > > Hi,
> > > >
> > > > According to Infinispan, when passivation is disabled, every update
> to
> > > the
> > > > cache should always write to the store.
> > > >
> > > > But I can't manage to get it work with Keycloak. If I disable
> > > passivation,
> > > > my SQL store (Postgres) stays empty, even if the cache is full.
> > > >
> > > > So, if passivation is needed for Keycloak to write to the DB, it
> means
> > > > that the use of a shared DB is not possible...
> > > >
> > > > But this leads to another issue for me. Enable passivation without a
> > > > shared DB seems to imply that either 'fetch-state' or 'purge' should
> be
> > > > enabled on startup, in order for the cache to not contain stale
> entries.
> > > >
> > > > 15:27:44,626 WARN
> > > >
> [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder]
> > > (MSC
> > > > service thread 1-6) ISPN000149: Fetch persistent state and purge on
> > > startup
> > > > are both disabled, cache may contain stale entries on startup
> > > >
> > > > As I need to keep millions of sessions, this will considerably slow
> down
> > > > the startup of my node (when started again after a crash for
> instance).
> > > >
> > > > So, is shared datastore allowed in Keycloak? If yes, how to enable
> it?
> > > > Otherwise what other options do I have to improve my startup time, if
> > > > millions of sessions are in the store?
> > > >
> > > > Thanks
> > > > --nick
> > > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
6 years, 9 months
Google login without automatic user registration
by Scott Thibault
Out-of-the-box, the First Broker Login flow automatically registers
non-existing users authenticated by an identity provider. I would not like
anyone with a valid Google account to be able to login, but only those with
existing accounts. However, any attempt to create a custom flow without
the "Create User If Unique" item leads to an error=invalid_user_credentials.
Is there some solution that would allow me to prevent users without an
existing account to login via the Google identity provider?
6 years, 9 months
Registration page and comboboxes
by Luca Stancapiano
I have a registration page in a Keycloak theme where the user has to choose from a list from a combobox. This list is dynamic, meaning it could be changed by an administrator at any time. What is the best way to manage this list with Keycloak? Can I use the administrative console to update this data? If you are on which component?
6 years, 9 months
Post profile update required actions
by Emilien Bondu
Hello,
I am working on user's mobile phone number attribute validation with SMS code. To do this I created some required actions to send sms code and validate the user profile attribute. Everything is ok for user registration and post external providers login (Post Login Flow), however I would like to validate the mobile number with these required actions during user profile modification. I tried to implement an event listener to add required actions on user profile after the profile update but this actions will only be triggered during the next login (asynchronously). Is there any way to trigger required actions during user profile modification with a "Post Profile Update Flow" ?
Here the link to the project : https://github.com/ebondu/keycloak-sms-authenticator-sns
Thanks,
Emilien
6 years, 9 months
Missing permissions
by Julien Deruere
I'm getting permissions from this request:
curl -X POST \
http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
-H "Authorization: Bearer ${access_token}" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "audience={resource_server_client_id}" \ --data
"response_mode=permissions"
Which give me the good results when I use Keycloak UI to share a resource.
Then if I give permission user the Policy API:
curl -X POST \
http://localhost:8180/auth/realms/photoz/authz/protection/uma-policy/{res...
\
-H 'Authorization: Bearer '$access_token \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{
"name": "Any people manager",
"description": "Allow access to any people manager",
"scopes": ["read"],
"groups": ["/Managers/People Managers"]
}'
It works and I can see it in the Keycloak User panel or in the evaluate
permission page, but first request does not I mention does not include this
permission in the response.
Any idea?
6 years, 9 months
User Federation
by James Pridmore
Hi all,
I wonder if anyone could help me. I'm trying to set up a realm with user federation. I'd like that realm to point to another realm within the same instance of Keycloak.
Is this possible and if so, how do I go about it?
The reason for this is we have one application supporting different contracts, users have different permissions in different contracts. We think we can achieve this by setting up 1 client over multiple realms and using one set of users in all those realms but with different permissions in each realm.
Any advice is much appreciated.
Kind regards,
James
6 years, 9 months
Keycloak Gatekeeper docker image yml file
by Dimitris Charlaftis
Hello,
I want to deploy the following keycloak gatekeeper docker image
https://hub.docker.com/r/keycloak/keycloak-gatekeeper
I want to map a .yml file through the VOLUME command but i don't know the path of the configuration inside the docker container.
Please can you provide where can i map the .yml file (the correct path inside the docker container) for the configuration?
Documentation presents a sample yml file, but it does not say where tomap it inside the container...
Thank you!
Dimitris
--
_____________________________
Dimitris Charlaftis
Software Engineer
National Documentation Center
email: dharlaftis(a)ekt.gr
_____________________________
6 years, 9 months
