Re: [keycloak-user] [UMA] Access a protected resource by using a link
by Fernando Mayoral
*What type of application we are talking about? A single monolithic or
separated apps for frontend and backend? Asking because you could just
resume the workflow after the user authenticate again and is redirected
back to your app ...*
We are talking separated frontend/backend, in fact, it's microservices and
micro-frontend architecture.
Correct, authentication & redirect would work and I've just realised I've
missed an important aspect of this:
Our users don't have a username-password with keycloak, not that they know
of at least, there's a third-party authentication provider they can use
through OIDC.
Alternatively, if they don't have an account with that third-party and
can't be bothered with setting one up, we have a custom authenticator that
essentially allows "anonymous authentication", i.e. you don't have an
account, yet you want to use the application, you get an anonymous session.
And we use such user to store protected data (such data expires after some
time in the system and it's erased).
Now we want to provide a way for such anonymous users to be able to recover
their order and be authorised without having them to set a password for the
account and so on, as the intention of the anonymous user mechanism is
mostly for tracking and authorisation which we erase after some time, and
not so much for having a permanent user in the system.
AFAIK, there is nothing you could use OOTB but maybe implementing some
custom authenticator. Even with a custom authenticator, the fact that you
are automatically re-authenticating the user based on some form of code
sent to an email may be risky
Agreed on the risky side, it's not desirable nor recommended from a
security point of view, yet since users in our system are ephemeral, the
attack vector is narrow enough that makes it acceptable to sacrifice that
in order to get a smoother UX. Probably long-lived cookies can help here
too, but we are assuming users can use a different device, so it doesn't
work for all scenarios.
-
Thanks for your comments, I was thinking of a custom authenticator but
wanted to confirm if support existed OOTB, I take your points on the risk
and discuss it with our team.
Regards,
- Fernando
On Sat, Nov 16, 2019 at 1:44 AM Pedro Igor Silva <psilva(a)redhat.com> wrote:
> What type of application we are talking about? A single monolithic or
> separated apps for frontend and backend ? Asking because you could just
> resume the workflow after the user authenticate again and is redirected
> back to your app ...
>
> AFAIK, there is nothing you could use OOTB but maybe implementing some
> custom authenticator. Even with a custom authenticator, the fact that you
> are automatically re-authenticating the user based on some form of code
> sent to an email may be risky ...
>
>
> On Thu, Nov 14, 2019 at 6:37 PM Fernando Mayoral <
> fernando.mayoral(a)practiv.com> wrote:
>
>> Yes, they leave the application and their keycloak session expires.
>> So then we want to send them a link for them to get a new session with
>> their user and get redirected to the order they didn't complete.
>> For example, a product is a bank account application:
>> They start filling the forms and early on they are asked for email.
>> But they never finish and submit the form, or maybe they leave the tab
>> open and forget so the session expires, so we send them an email to remind
>> them with a link to get authenticated and redirected back to an arbitrary
>> url.
>>
>> On Fri, Nov 15, 2019 at 2:47 AM Pedro Igor Silva <psilva(a)redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> When the user "drops" from the system you mean a logout (ending the user
>>> session in Keycloak) ?
>>>
>>> On Thu, Nov 14, 2019 at 1:53 AM Fernando Mayoral <
>>> fernando.mayoral(a)practiv.com> wrote:
>>>
>>>> Hello!
>>>>
>>>> We have a product on which we create a protected resource (called
>>>> orders)
>>>> in keycloak and we secure access to it by using a UMA as described by
>>>> uma
>>>> authorization process
>>>> <
>>>> https://www.keycloak.org/docs/7.0/authorization_services/#_service_uma_au...
>>>> >
>>>> .
>>>>
>>>> When the user drops from the system before they submit their order (i.e.
>>>> the order is incomplete) we want to be able to send them an email with a
>>>> link to the user so they’ll be able to get automatically authenticated
>>>> and
>>>> authorized so they can continue working on this protected resource.
>>>>
>>>> Does keycloak provide this kind of functionality out of the box?
>>>> (i.e. given a link with some sort of long-lived token, get authenticated
>>>> with keycloak and redirected to some arbitrary url)
>>>> Is there any recommended way to approach this?
>>>>
>>>> any hints would be greatly appreciated.
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
5 years, 2 months
JBoss_Keycloak_"404 - Not Found"
by Naga Vijay
Hello,
Can someone help me with this?
==============
Environment -
==============
1. OS - Mac OS X
2. JBoss EAP 7.1
3. Keycloak 7.0.1
==============
Issue -
==============
. Getting "404 - Not Found" for a simple hello.war (with KEYCLOAK as the
auth-method in its web.xml) when accessing http://localhost:8080/hello
==============
Attachments -
==============
1. kc.json - export dump of keycloak database/configuration
2. hello.war - the simple war tested with
Let me know if you need any other info.
Thanks
Naga
5 years, 2 months
[UMA] Access a protected resource by using a link
by Fernando Mayoral
Hello!
We have a product on which we create a protected resource (called orders)
in keycloak and we secure access to it by using a UMA as described by uma
authorization process
<https://www.keycloak.org/docs/7.0/authorization_services/#_service_uma_au...>
.
When the user drops from the system before they submit their order (i.e.
the order is incomplete) we want to be able to send them an email with a
link to the user so they’ll be able to get automatically authenticated and
authorized so they can continue working on this protected resource.
Does keycloak provide this kind of functionality out of the box?
(i.e. given a link with some sort of long-lived token, get authenticated
with keycloak and redirected to some arbitrary url)
Is there any recommended way to approach this?
any hints would be greatly appreciated.
5 years, 2 months
CORS error in Keycloak Admin REST API - Unable to create realms from React JS app
by Vinay Matam
Hi,
I need help with a situation.
We are trying to create new realms in Keycloak dynamically from a ReactJS
based application with the help of the Keycloak Admin Rest API. Here's what
we have done so far:
Created a client in the master realm, "realm-creator", type = confidential,
Service Accounts Enabled = true, Scope = admin & create-realm selected,
Service Account Roles = create-realm.
I then fetch an access token of the above client using the grant_type =
client_credentials, Authorization = BASIC and using the client id and
client secret as username and password. I am successfully getting the
access token.
Now, as a next step, I am using this access token to create new realms by
calling the Admin REST API endpoint to create new realm,
https://<keycloakserver>/auth/admin/realms
Authorization: Bearer <accesstoken> // Access token generated from the
above step using "realm-creator" client
and sending the JSON body representation of the realm representation.
Now, everything is working fine as expected when I test this from postman.
Realm is getting created successfully.
But when I try to implement this from a ReactJS app, I am getting a CORS
error.
For clients, we have an option of "Web Origins" and we can configure a "*"
or the URL we want, to solve the CORS issue. But here the client
"realm-creator" does not have "Standard Flow" Enabled and I am not seeing
the option of "WebOrigins".
Where should I configure the CORS setting for the Keycloak Admin REST API
to avoid CORS error ?
Please help.
Thank you!
5 years, 2 months
Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer
by Sushil Singh
________________________________
From: Sushil Singh <sushil.singh(a)guavus.com>
Sent: 15 November 2019 15:14
To: Vishnu Prakash <vishnuprakash323(a)gmail.com>; Pedro Igor Silva <psilva(a)redhat.com>; Stian Thorgersen <sthorger(a)redhat.com>
Subject: Re: [keycloak-user] Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer
Hi,
I think the use case is similar to what I am proposing
@Vishnu Prakash<mailto:vishnuprakash323@gmail.com>
I have also proposed to impose custom policy-enforcement on a set of resources.
https://github.com/keycloak/keycloak/pull/6448
[https://repository-images.githubusercontent.com/11125589/bd31cf00-70f4-11...]<https://github.com/keycloak/keycloak/pull/6448>
KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters by sushil-singh-guavus · Pull Request #6448 · keycloak/keycloak<https://github.com/keycloak/keycloak/pull/6448>
KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters https://issues.jboss.org/browse/KEYCLOAK-11300
github.com
Where user can specify a Map<Resource, Set<scopes>> and it will evaluate to a positive result only if it satisfies permission for all resources in the Map
Currently I don't think this functionality is available in keycloak
Thanks,
Sushil
________________________________
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org> on behalf of Vishnu Prakash <vishnuprakash323(a)gmail.com>
Sent: 15 November 2019 10:01
To: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: [keycloak-user] Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer
Hi,
I want to protect my REST api's using Keycloak. I am deploying my
application in Wildfly application server and using keyclaok wildfly
adapters.
Is it possible to associate a REST api end point to multiple resources in
keycloak using the Policy Enforcer. If the user is having permission to
access all the associated resources, then only access should be granted to
the api.
Any input will be a great help to me.
Thanks & Regards,
Vishnu Prakash
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5 years, 2 months
Keycloak redirects localhost and not redirect remote url
by Alfonso Vidal García
I have my Keycloak server and my web app connected with to Keycloak to do the login into the app.
If I run in local, its redirects perfectly, but if I deploy the server and the web app in the same server, when the web app redirects to keycloak it redirects to localhost not to the remote url.
Any idea how to avoid redirects to localhost?
P Please consider the environment before printing this e-mail.
5 years, 2 months
Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer
by Vishnu Prakash
Hi,
I want to protect my REST api's using Keycloak. I am deploying my
application in Wildfly application server and using keyclaok wildfly
adapters.
Is it possible to associate a REST api end point to multiple resources in
keycloak using the Policy Enforcer. If the user is having permission to
access all the associated resources, then only access should be granted to
the api.
Any input will be a great help to me.
Thanks & Regards,
Vishnu Prakash
5 years, 2 months
keycloak login page toggle
by Kannan, Vidhya (CMS)
Hello:
I have a requirement for a toggle in the login page, between 2 categories
If user chooses category 1, ldap should be used for auth,
If user chooses category 2, AD should be used for auth.
Finally to be redirected to the same client application.
Is it possible with keycloak? Does it require development?
Any directions will help.
I don't find info in keycloak documentation.
Thanks in advance.
Vidhya
5 years, 2 months
Infinispan clustered sessions not being cleaned up after they expire.
by Marc Wijma
Hi,
We see user sessions not expiring/cleaned up after the session max is expired (we see sessions being present of 2-3 days old in the session overview in the admin area). Since we are using a session limit per user (custom authenticator) this is a problem, since users experience blocked access due to false assumed # active sessions (expired sessions count as active ones).
The used code in our authenticator 4 checking how many active users sessions there are, is checking the .size() function on the cache object. According to infinispan documentation (https://infinispan.org/docs/9.4.x/user_guide/user_guide.html#expiration_d...), on such a call lazy configured sessions should be invalidated and not counted in. NOTE this in in a higher infinispan version in the docs of version 7, nothing of this is mentioned. Alse this is valid in a local cache setup. I am under the impression that in a clustered setup this is not the case? You need to actively cleanup those sessions yourself (configure the reaper??). Out of the box config in keycloak is not giving any insight how this works and if a reaper is configured.
Is my assumption correct that configuring a reaper would solve my problems and how would that configuration look like???
Background:
We use keycloak 4.8.3 in a load balanced environment (A10, ssl offloading) 2 vps machines with infinispan 7 as a replicated caching mechanism between the machines.
Session settings (adminarea: realm settings > tokens)
- SSO Session Idle: 30 min
- SSO Session Max 10 Hours
- SSO Session Idle Remember Me 0 minutes
- SSO Session Max Remember Me 30 days
Code snippet in custom authenticator checking amount of active sessions:
// Get the session count in this realm for this specific user
List<UserSessionModel> userSessionsForRealm = session.sessions().getUserSessions(context.getRealm(), context.getUser());
int userSessionCountForRealm = userSessionsForRealm.size();
// Get the session count related to the current client for this user
ClientModel currentClient = context.getAuthenticationSession().getClient();
logger.debugf("Client: %s", currentClient.getClientId());
List<UserSessionModel> userSessionsForClient = userSessionsForRealm.stream().filter(session -> session.getAuthenticatedClientSessionByClient(currentClient.getId()) != null).collect(Collectors.toList());
int userSessionCountForClient = userSessionsForClient.size();
We have configured infinispan as followed in standalone-ha.xml (basically as is out of the box):
<subsystem xmlns="urn:jboss:domain:ejb3:5.0">
…
<caches>
<cache name="simple"/>
<cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/> </caches> <passivation-stores>
<passivation-store name="infinispan" cache-container="ejb" max-size="10000"/> </passivation-stores> … </subsystem> …… <subsystem xmlns="urn:jboss:domain:infinispan:7.0">
<cache-container name="keycloak">
<transport lock-timeout="60000"/>
<local-cache name="realms">
<object-memory size="10000"/>
</local-cache>
<local-cache name="users">
<object-memory size="10000"/>
</local-cache>
<local-cache name="authorization">
<object-memory size="10000"/>
</local-cache>
<local-cache name="keys">
<object-memory size="1000"/>
<expiration max-idle="3600000"/>
</local-cache>
<replicated-cache name="work"/>
<distributed-cache name="sessions" owners="1"/>
<distributed-cache name="authenticationSessions" owners="1"/>
<distributed-cache name="offlineSessions" owners="1"/>
<distributed-cache name="clientSessions" owners="1"/>
<distributed-cache name="offlineClientSessions" owners="1"/>
<distributed-cache name="loginFailures" owners="1"/>
<distributed-cache name="actionTokens" owners="2">
<object-memory size="-1"/>
<expiration interval="300000" max-idle="-1"/>
</distributed-cache>
</cache-container>
……
Marc Wijma
senior ontwikkelaar
T 0522 235 235
M.Wijma(a)edu-actief.nl
www.edu-actief.nl
Meppel (Stationsweg 66)
Edu'Actief
Boom beroepsonderwijs
Stationsweg 66
7941 HG Meppel
Postbus 1056
7940 KB Meppel
--------------------------------------------------------------------
De inhoud van dit bericht is uitsluitend bestemd voor geadresseerde.
Gebruik van dit bericht door anderen zonder toestemming van
Edu'Actief is onrechtmatig. Is dit bericht niet voor u bestemd?
Meld dit a.u.b. aan de afzender en verwijder dit bericht. Aan de
inhoud van dit bericht kunnen geen rechten worden ontleend.
--------------------------------------------------------------------
5 years, 2 months