Keycloak fine grained permissions with Spring Boot / Spring Security
by David Marsh
I would like to use permissions or scopes or similar to allow fine grained access to REST resource.
Ideally I would like to do something like:
@PreAuthorize("hasPermission('Brands', 'brands:write')")
ResponseEntity<Brand> getBrand(@PathVariable("brandCode") String brandCode);
where 'Brands' is a keycloak client authorization resource with scopes 'brands:write, brands:read'.
The only annotation that seems to work is @Secured with a role, I do not with to do RBAC.
@Secured({"ROLE_STAFF"})
I have looked at the PolicyEnforcer, it is unclear to me exactly how it is supposed to be used.
I can write code of the form:
KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();
if (authzContext.hasScopePermission("brands:write")) {
// This works....
}
How can I tie the AuthorizationContext from PolicyEnforcing to the standard Spring security annotations ?
thanks
David
5 years, 8 months
Adding a custom user storage provider to a realm with the admin client
by Philippe Julien
Hi everyone,
Is there a way to add a user storage provider to an existing realm with the admin client (rest api) ?
I’ve looked at the code and user storage providers are ignored on realm update.
On realm creation, only LDAP and Kerberos user storage providers are taken into account.
What would be the best way to programmatically add a custom user storage provider to a new or existing realm?
Thanks,
Philippe
5 years, 8 months
obtaining token when using identify broker
by Tim Dudgeon
Apologies again if this was already answered, but my subscription to the
ML keeps getting cut and there is no archive to check!
How can I obtain a token in the following scenario:
1. My keycloak realm is set up to manage users with identity brokering
(e.g. in a browser they would login through GitHub, Google etc.)
2. I have a public client in that realm that has REST API that requires
access to be authenticated
3. I want to access that API using curl or other CLI tool so need to
provide an access token.
How can I get a token?
Thanks
Tim
5 years, 8 months
Password expiry policy not working for federated user
by kapil joshi
Hi All,
Password expiry policy not working for federated user. We can see that the
password has expired for LDAP user, which was set to 90 days, but user can
still login to UI via keycloak authentication.
Kindly point us what are we missing.
Please note we have enabled the switch to sync password policy with
federated user.
Thanks & regards
Kapil
5 years, 8 months
Permissions tab missing after upgrading
by Frank Herrmann
Hello,
I just updated my installation of Keycloak from 3.4.3 to 6.0.1. I need to
set up token exchange. The documentation still references the Permissions
tab in my identity provider. However, the tab is missing. It is also
missing from my clients. My 3.4.3 installation has the Permissions tabs.
I can, however, get to the permissions pages by altering the url. I was
wondering if anyone else has seen this. Is this a bug, or does the
documentation need to be updated?
Thanks,
-Frank
--
FRANK HERRMANN
ASSOCIATE SOFTWARE ARCHITECT
T: 561-880-2998 x1563
E: frank.herrmann(a)modmed.com
[image: [ Modernizing Medicine ]] <http://www.modmed.com/>
[image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine> [image:
[ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/> [image:
[ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
<http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
<http://instagram.com/modernizing_medicine>
[image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>
--
*CONFIDENTIALITY NOTICE:* This e-mail message may contain material
protected by the Health Insurance Portability and Accountability Act of
1996 and its implementing regulations and other state and federal laws and
legal privileges. This message is only for the personal and confidential
use of the individuals or organization to whom the message is addressed. If
you are an unintended recipient, you have received this message in error,
and any reading, distributing, copying or disclosure is unauthorized and
strictly prohibited. All recipients are hereby notified that any
unauthorized receipt does not waive any confidentiality obligations or
privileges. If you have received this message in error, please notify the
sender immediately at the above email address and confirm that you have
deleted or destroyed the message.
5 years, 8 months
HA mode with JDBC_PING shows warning in the logs after migration to 4.8.3 from 3.4.3
by abhishek raghav
Hi
After the migration of keycloak HA configurations from 3.4.3.Final to
4.8.3.Final, I am seeing some WARNINGS on one of the nodes of keycloak
immediately after the keycloak is started with 2 nodes. This occurs after
every time when the cluster is scaled up or whenever infinispan is trying
to update the cluster member list.
I am using JDBC_PING to achieve clustering in keycloak.
Below is the stacktrace -
2019-04-24 12:20:43,687 WARN
>> [org.infinispan.topology.ClusterTopologyManagerImpl]
>> (transport-thread--p18-t2) [dcidqdcosagent08] KEYCLOAK DEV 1.5.RC
>> ISPN000197: Error updating cluster member list:
>> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
>> waiting for responses for request 1 from dcidqdcosagent02
>
> at
>> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
>
> at
>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
>
> at
>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
>
> at
>> java.util.concurrent.FutureTask.run(FutureTask.java:266)
>
> at
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>
> at
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>
> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>
> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>
> at java.lang.Thread.run(Thread.java:748)
>
> Suppressed: org.infinispan.util.logging.TraceException
>
> at
>> org.infinispan.remoting.transport.Transport.invokeRemotely(Transport.java:75)
>
> at
>> org.infinispan.topology.ClusterTopologyManagerImpl.confirmMembersAvailable(ClusterTopologyManagerImpl.java:525)
>
> at
>> org.infinispan.topology.ClusterTopologyManagerImpl.updateCacheMembers(ClusterTopologyManagerImpl.java:508)
>
>
Now after I searched, I really did not see anyone reported such error on
keycloak but there is similar bug reported in WILDLFY 14 and is categorized
as a blocker in WILDLFY 14.This bug is already fixed in WILDLFY 15.
https://issues.jboss.org/browse/WFLY-10736?attachmentViewMode=list
Now since keycloak 4.8 is also based on WILDLFY 14, these WARNINGS could be
because of this blocker in WILDFLY 14.
What should I do to get rid this error. Is this really a problem in
keycloak 4.8.3.Final. Did anyone notice any such issue while running
keycloak 4.8.3 in HA mode.
Is there a workaround to fix this.
One more thing we noticed is - It is regarding a property in JDBC_PING
protocol we are using in our 3.4.3 setup i.e. "clear_table_on_view_change"
but it is no more supported in 4.8 version. and thus the JGROUPSPING table
is filled up with lot of stale entries. Is there a workaround to clear the
table after view change in 4.8 also.
Thanks
Abhishek
5 years, 8 months
Problems with kcadm returning messages as errors incorrectly
by Leigh Kennedy
Hi,
I have been porting some keycloak scripts I wrote from linux to powershell.
The issue I have is while the commands work, the output is being returned as stderr incorrectly. i.e :
PS C:\Windows\system32> kcadm.bat config credentials --server http://127.0.0.1:8080/auth --realm master --user myuser --password xxxx
kcadm.bat : Logging into http://127.0.0.1:8080/auth as user myuser of realm master
At line:1 char:1
+ kcadm.bat config credentials --server http://127.0.0.1:8080/auth --re ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Logging into ht...of realm master:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
If I redirect the error ourput to a file, I get no output:
PS C:\Windows\system32> kcadm.bat config credentials --server http://127.0.0.1:8080/auth --realm master --user qlik --password Qlik1234 2>console.err
PS C:\Windows\system32>
The commands are working, but for some reason the way the java returns the output is causing the issue.
Does anyone know how to work around this?
Thanks.
Leigh.
5 years, 8 months
User Federation - LDAP - syncronize changed users
by Travis De Silva
Hi
We have a user federation setup that connects to Microsoft Active Directory
(AD)
We are having an issue where when user attributes such as "memberof" or
extension attributes are updated, it does not update it in keycloak. We
have the synchronize changed users set to activate every half an hour.
How does Keycloak identify if the user has changed in AD? Are you using the
AD attribute "whenChanged" or is it some other attribute?
Appreciate any help.
Cheers
Travis
5 years, 8 months
