Identity Provider for Provisioned Accounts
by Thomas Richner
Hi all,
I'm trying to add an identity provider that can only be used to log in
for existing accounts.
It should cover the following use case:
1. there is an existing Keycloak account with the email `alice(a)example.com`
2. Alice also has a Google account with the email `alice(a)example.com`
3. Alice wants to log in at Keycloak and clicks 'login with google'
4. She successfully completes the Google oauth flow
5. now Alice should have a valid session for the `alice(a)example.com`
account in Keycloak
There does not need to be any further confirmation/updating of user
information and if `alice(a)example.com` does not exist in Keycloak the
login should just fail. I struggle especially with the last part since
the `Create User If Unique` in the first broker flow can not be
disabled.
I also came across the following issue
https://issues.jboss.org/browse/KEYCLOAK-4240 which seems to ask for
more or less what I need, but it seems to be dead since quite some
time :/
Did anybody successfully solve that issue? Is there some 'first login
flow' that can handle this use case?
Cheers and Thanks,
Thomas
5 years, 9 months
Keycloak 5.0.0 and Java 11?
by Ryan Slominski
I'm attempting to use Keycloak 5.0.0 and OpenJDK 11.0.2 on RHEL 7.6, but encountering an error executing the bin/add-user-keycloak.sh script:
[root@keycloaktest bin]# ./add-user-keycloak.sh -u admin
org.jboss.modules.ModuleNotFoundException: java.se
at org.jboss.modules.Module.addPaths(Module.java:1266)
at org.jboss.modules.Module.link(Module.java:1622)
at org.jboss.modules.Module.relinkIfNecessary(Module.java:1650)
at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:296)
at org.jboss.modules.Main.main(Main.java:437)
[root@keycloaktest bin]# export JAVA_OPTS="--add-modules java.se"
[root@keycloaktest bin]# echo $JAVA_OPTS
--add-modules java.se
[root@keycloaktest bin]# ./add-user-keycloak.sh -u admin
Press ctrl-d (Unix) or ctrl-z (Windows) to exit
Password:
Added 'admin' to '/opt/wildfly/keycloak-5.0.0/standalone/configuration/keycloak-add-user.json', restart server to load user
[root@keycloaktest bin]#
I found the workaround here:
https://issues.jboss.org/browse/WFCORE-3962
and here:
https://issues.jboss.org/browse/MODULES-372
Is this simply an oversight with the add-user-keycloak.sh script and will be fixed in a future release?
5 years, 9 months
adding mysql or mariadb backend
by Andrew Meyer
Hello,If I am adding a mariadb or mysql backend to keycloak v4.8.3 or 5.0.0 what is the correct syntax from the jboss-cli.sh tool? This is what I have in my notes.
Open the Jboss CLI and add the MySQL driver (you don't have to connect with the Jboss websocket).
$ ./bin/jboss-cli.sh Is this the correct mysql connector version for MariaDB 10.1.x?MySQL/MariaDBjboss-cli$ module add --name=com.mysql --dependencies=javax.api,javax.transaction.api --resources=/root/mysql-connector-java-5.1.47.jar
Add the Database driver to the configuration.
MySQL/MariaDB# sudo su -
Is this the correct syntax for the driver? Should it be com.mysql or org.mysql??
$ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql,driver-module-name=com.mysql,driver-class-name=com.mysql.jdbc.Driver)'
Remove the h2 KeycloakDS data source and add the MySQL KeycloakDS data source. (Don't delete the test database and change YOURPASS to something random)
MySQL/MariaDB
# sudo su -$ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/data-source=KeycloakDS:remove'
$ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/data-source=asmDS:add(driver-name=com.mysql,enabled=true,use-java-context=true,connection-url="jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&useLegacyDatetimeCode=false&serverTimezone=America/Chicago&characterEncoding=UTF-8",jndi-name="java:/jboss/datasources/KeycloakDS",user-name=keycloak,password="ChangeMe",valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker,validate-on-match=true,exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker)'
$ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/data-source=asmDS:test-connection-in-pool'
5 years, 9 months
Infinispan cache synchronization over TLS?
by Mike W.
Hi everyone,
I'm interested to know how the synchronization between infinispan caches
occurs when working with keycloak in an HA mode. Is this synchronization by
default happening over TLS?
In the case of Keycloak, what would be the proper approach to find out what
information is being stored and communicated between the infinispan caches
and whether that information is stored securely?
Thanks,
Mike
5 years, 9 months
Keycloak FIPS PKI Problems
by Christophe Webb
I am running keycloak in a docker container. We are using PKI as one of the authentication methods for our applications. I followed the instructions for keycloak(X.509 Client Certificate User Authentication) to set this up, and everything seems to work. Next, we needed to update keycloak to be FIPS compliant. For this, we are using the bouncy castle FIPS provider(bc-fips-1.0.1.jar). I have set up the java.security file to make the bouncy castle fips provider the default. This all works correctly as well.
However, once I update the java.security file to use "com.sun.net.ssl.internal.ssl.Provider BCFIPS", PKI no longer works. Regular SSL with out a client certificate provided works just fine, and we can log in with username and password, but we need PKI.
I have updated the keycloak standalone.xml with the following:
<server-identities>
<ssl>
<keystore provider="BCFKS" path="keystore.bcfks" relative-to="jboss.server.config.dir" keystore-password="<password>" alias="keycloak" key-password="<password>"/>
</ssl>
</server-identities>
<authentication>
<truststore provider="BCFKS" path="truststore.bcfks" relative-to="jboss.server.config.dir" keystore-password="<password>"/>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
I took the JKS files for the keystore and truststore that I was using before and imported them to BCFKS files using this basic command:
keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -srcstorepass <password> -destkeystore keystore.bcfks -deststoretype BCFKS -deststorepass <password> -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /path/to/jar/bc-fips-1.0.1.jar
I also updated the JAVA_OPTS to include -Djavax.net.debug=ssl. In the output, I can see that my certificate is provided, and it looks correct.
In the log output after the client certificate is logged, I see the the following log statements.
14:38:30,927 INFO [stdout] (default task-1) default task-1, fatal error: 46: General SSLEngine problem
14:38:30,927 INFO [stdout] (default task-1) sun.security.validator.ValidatorException: No trusted certificate found
14:38:30,927 INFO [stdout] (default task-1) %% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
14:38:30,927 INFO [stdout] (default task-1) default task-1, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
14:38:30,927 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1.2 Alert, length = 2
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, called closeInbound()
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, called closeOutbound()
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, closeOutboundInternal()
5 years, 9 months
Apply default client scopes to existing clients
by Jody H
Hi,
when I add a new client scope as default, I'd expect that this will be
added to the "assigned default client scopes" for existing clients as well.
However, only new clients will see the mapper in its "assigned default
mappers" list. Is there a way to automatically adjust all existing clients
when I set a client scope as default?
Thanks
Jody
5 years, 9 months
Notification after failed login attempt(s) from unknown machine.
by Lukasz Lech
Hello,
Does keycloak have a functionality of notifying user about failed login attempts made from unknown machine?
In default configuration, users have no idea that someone has tried to guess their password...
I couldn't find anything about that, but there seems already to be some brute-force detector (a least it is logged as such).
Best regards,
Lukasz Lech
5 years, 9 months
Advice on setting up realms
by Chris Boot
Hi folks,
I’ve been looking for an IdP solution for my employer for months and
have felt like I’ve been going round and round in circles, until I
finally gave Keycloak another try. It’s like a breath of fresh air! So
thanks folks.
Our Keycloak instance will be used to protect about a dozen
applications, things like our wiki, monitoring control panel, and so on.
We’ll have two different types of users who will need to use the IdP and
login to these applications: staff and partners.
Staff will need to login using LDAP federation and will be required to
use TOTP. They should not be able to use social providers to log in.
Staff will use their email address to login and all will use a single
RHS domain for their email addresses.
Partners will not have LDAP accounts, and should be able to opt-in to
use TOTP. They should ideally also be able to link social accounts (e.g.
Google or GitHub) to their existing records. Anyone not using our
corporate email domain, but who has an account, should be considered a
partner.
Some of our applications can only be configured with a single OIDC or
SAML provider, so Keycloak would need to handle both types of accounts
(e.g. staff / partner) from a single login interface.
I therefore have a few questions about how I might achieve such a setup:
- Can I make these two types of user coexist in a single realm, or do I
need to split it up?
- How can I enforce policies such as requiring TOTP for our staff?
- Can I prevent users from changing their email address and name in the
account console while still permitting password and authenticator changes?
Thanks in advance for any suggestions.
Cheers,
Chris
--
Chris Boot
bootc(a)boo.tc
5 years, 9 months
