User teams?
by Martin Vietz
Hi all,
we would like to implement typical SaaS service, with keycloak for
authentication. The services have users (self registration) and each
user is assigned to a team/company (self created or existing joined).
Inside of a team most of the data is shared. Some team member have
special privileges (e.g. manage the team and update contract details).
What is the best way to implement this with keycloak?
Currently we would use a group for each team, but afaik we must
implement several functions around keycloak that this works well. And
also implement in each service the user/team mapping logic.
Alternatively we think about a "technical" user for each team.
Thanks in advance.
Best Regards
Martin
--
Martin Vietz | Management | ReTest GmbH
https://retest.de/ | +49-721-72380106
Haid-und-Neu-Straße 7, 76131 Karlsruhe, Germany
Commercial register: Amtsgericht Mannheim, HRB 727558
Management board: Dr. Jeremias Rößler, Martin Vietz
5 years, 10 months
How to generate JWT token in Keycloak?
by Amit Yadav
Hi all,
There is an Endpoint to a backend server which gives a JSON response on
pinging and is protected by an Apigee Edge Proxy. Currently, this endpoint
has no security and we want to implement bearer only token authentication
for all the clients making the request.
Apigee Edge will be used to verify the JWT Token given by the user while
the end user makes a request to the API.
How do I use Keycloak to generate this JWT token?
Also, Apigee needs a "public key" of "the origin of the JWT token" (the
server which signed the JWT token, in this case, I believe that is
Keycloak).
So my second doubt is, while I use Keycloak to generate the JWT token, how
to get the public key using which the server will verify if the token is
valid?
Thank you all for your help in advance.
Kind regards,
Amit Yadav
5 years, 10 months
Node Adapter check logout
by Tom Barber
Hi folks,
Trying to figure this one out….
If I login to my NodeJS based web app in a web browser I get prompted to
login and do so and the Keycloak adapter seems to initialise itself
correctly etc.
Then for example, I go to bed but leave the browser window open, after a
while, Keycloak will close down the session, as you’d expect. But if you
rerun kc.init:
kc.init({ onLoad: 'check-sso', token, refreshToken })
.success(authenticated => {
if (authenticated) {
debugger;
SkinStore.kc = kc;
store.getState().keycloak = kc;
store.dispatch(setCurrentUser(kc));
updateLocalStorage();
ReactDOM.render(<App/>, document.getElementById('root'));
} else {
debugger;
console.log('Error to authenticate');
ReactDOM.render(<App/>, document.getElementById('root'));
}
})
It returns authenticated = true, yet I can look in the Keycloak server and
see there are no active sessions for that client.
Yet I can also see the iframe check to:
https://auth.testdomain.co.uk/auth/realms/skinparison/protocol/openid-con...
<https://auth.spicule.co.uk/auth/realms/skinparison/protocol/openid-connec...>
returns
a 204 and seems happy.
What am I missing here?
I’m testing in a private chrome window against a test Keycloak server and
everything else seems okay, if I shut the tab and open a new one I get
prompted to log back in etc
Thanks
Tom
--
Spicule Limited is registered in England & Wales. Company Number:
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements
are subject to Spicule Terms and Conditions of Business. This email and its
contents are intended solely for the individual to whom it is addressed and
may contain information that is confidential, privileged or otherwise
protected from disclosure, distributing or copying. Any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Spicule Limited. The company accepts no
liability for any damage caused by any virus transmitted by this email. If
you have received this message in error, please notify us immediately by
reply email before deleting it from your system. Service of legal notice
cannot be effected on Spicule Limited by email.
5 years, 10 months
Node Adapter check logout
by Tom Barber
Hi folks,
Trying to figure this one out….
If I login to my NodeJS based web app in a web browser I get prompted to
login and do so and the Keycloak adapter seems to initialise itself
correctly etc.
Then for example, I go to bed but leave the browser window open, after a
while, Keycloak will close down the session, as you’d expect. But if you
rerun kc.init:
kc.init({ onLoad: 'check-sso', token, refreshToken })
.success(authenticated => {
if (authenticated) {
debugger;
SkinStore.kc = kc;
store.getState().keycloak = kc;
store.dispatch(setCurrentUser(kc));
updateLocalStorage();
ReactDOM.render(<App/>, document.getElementById('root'));
} else {
debugger;
console.log('Error to authenticate');
ReactDOM.render(<App/>, document.getElementById('root'));
}
})
It returns authenticated = true, yet I can look in the Keycloak server and
see there are no active sessions for that client.
Yet I can also see the iframe check to:
https://auth.testdomain.co.uk/auth/realms/skinparison/protocol/openid-con...
<https://auth.spicule.co.uk/auth/realms/skinparison/protocol/openid-connec...>
returns
a 204 and seems happy.
What am I missing here?
I’m testing in a private chrome window against a test Keycloak server and
everything else seems okay, if I shut the tab and open a new one I get
prompted to log back in etc
Thanks
Tom
--
Spicule Limited is registered in England & Wales. Company Number:
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements
are subject to Spicule Terms and Conditions of Business. This email and its
contents are intended solely for the individual to whom it is addressed and
may contain information that is confidential, privileged or otherwise
protected from disclosure, distributing or copying. Any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Spicule Limited. The company accepts no
liability for any damage caused by any virus transmitted by this email. If
you have received this message in error, please notify us immediately by
reply email before deleting it from your system. Service of legal notice
cannot be effected on Spicule Limited by email.
5 years, 10 months
updating owner of a resource
by Gianni
Hi,
I was trying to update the owner of an existing resource with
resource.setOwner(newOwnerId);
getAuthzClient().protection().resource().update(resource);
There is no Exception, but it seems that resource still keeps the previous owner... is there a different way to achieve this? Is it possible at all?
thanks
gianni
PS: the server is keycloak 4.8.3Final
5 years, 10 months
Re: [keycloak-user] Requiring 2FA?
by Max Allan
>
> I have done some digging and if admin sends out a password reset, it works
as I expect, the user resets their password and then prompted to return to
the login page, and they login normally.
IF they use the self service reset function they reset their password and
are logged in to the application, without TOTP prompt.
> I looked at the JWT in the reset email and can see that it says
"reset-credentials" on self reset and "execute-actions" on a managed reset.
So, I looked at the "Reset Credentials" flow. Added the OTP form.
With OTP form added, the user is requested to enter their OTP when they
click the link. And the button says "Log In".
> I can see this causing major confusion in the user community. "Log In? But
I've not reset my password yet. Help, what do I do, is there a security
breach that it lets me login without a password??"
> The OTP form is first in the flow regardless of position in the "Copy of
Reset Credentials" flow. I can see the logic behind requiring TOTP before
resetting the password, it does validate that the user is who they claim to
be, however, "Login" will cause confusion
> Raised : https://issues.jboss.org/browse/KEYCLOAK-9648 to cover it.
> Max
On Fri, 22 Feb 2019 at 16:03, Max Allan <max.allan+keycloak(a)surevine.com>
wrote:
>
> Hello,
>> I have a client app, and have enabled 2FA (totp) as a required step in
>> it's browser auth flow.
>>
>> What we find is that some new users have been able to get the "reset your
>> password" link, reset their password and somehow access the client WITHOUT
>> 2FA.
>> Most reset their password and are then prompted to setup TOTP 2FA.
>>
>>
5 years, 10 months
Securing Microservices
by Svyatoslav Babych
Good morning everyone,
Would like to ask a pros and cons or a best practice for next approach: In case of microservices architecture to use the same only one bearer-only client for all services.
Also in this case what should be in Admin URL ?
Thank you in advance,
Best regards,
Svyat
Svyatoslav Babych | Senior Solution Architect, Technical team Lead
s.babych(a)dataclaritycorp.com
DataClarity Corporation | www.dataclaritycorp.com
Facebook | Twitter | LinkedIn
Confidentiality Notice: The information in this email and any attachments is confidential or proprietary and should be treated and marked as “Confidential” DataClarity communication. If you are not the intended recipient of this email, any review, disclosure, copying, or distribution of it including any attachments is strictly prohibited and may be unlawful. If you have received this email in error, please notify the sender and immediately and permanently delete it and destroy any copies. Any information contained in this email is subject to the terms and conditions expressed in any applicable agreement.
5 years, 10 months
Requiring 2FA?
by Max Allan
Hello,
I have a client app, and have enabled 2FA (totp) as a required step in it's
browser auth flow.
What we find is that some new users have been able to get the "reset your
password" link, reset their password and somehow access the client WITHOUT
2FA.
Most reset their password and are then prompted to setup TOTP 2FA.
I assume this is because to reset your password, you gain a valid session,
and if you then visit the client URL, keycloak does SSO via a different
flow and lets you in.
Except when I've tried to make that happen, it doesn't work like that! I
have no idea how the users manage to break it...
Should I enable 2FA on the "account" client's browser auth flow as well?
Will that allow people to reset their passwords normally? Or is there
something else I can do to prevent password resets from also being "logins,
without 2FA"?
I don't quite understand how some of the other flows are supposed to work,
if I added TOTP to a flow the user doesn't normally interact with, would it
cause confusion? It feels like the wrong thing to do.
Thanks,
Max
5 years, 10 months
Add terms of use to required actions
by So Be
Hi,
I want to add text conatining the terms of use. At the moment the page is
empty. Which file (.ftl) should I modify?
I am using Keycloak 3.4.0
Thank you.
Sofiane.
5 years, 10 months
