Custom REST endpoint not associated with a specific REALM
by Michael Dailous
Hi,
We are looking to implement a REST endpoint that will be used to query the REALM information associated with a specified user. The REST endpoint will be publicly available and used as part of the Authentication process, identifying which Keycloak REALM should be used during the client authentication process. We've created REST endpoints that are available through a REALM, such as "/auth/realms/master/admin-extensions/...". Those specific REALMs are accessed post authentication. For this REST endpoint, we're looking to access it generically pre authentication.
Is it possible to create a custom REST endpoint that's not associated with a specific REALM?
Thanks,
Michael
5 years, 7 months
X509 Direct Grant with client certificate
by Chirag Unnadkat
Hi,
Is it possible to pass the same client certificate in a token request with different login credentials?
My current setup doesn't seem to allow this and I can't find any documentation saying this is not possible
I have configured an X509 Direct grant flow using X509/Validate Username(X.509 Config)
This is configured to take the Subjects Common Name, with the attribute "NAME"
I have configured a trust store with 1 certificate (want to share this across users)
When I add the Subject Common Name to user 1's attribute, they then require the key pair to generate a token, however once I share the same attribute details to user 2, both user 1 and 2 stop working. Maybe I am missing some configuration that will allow my users to share the same certificate
I ideally do not want to have one certificate per user as this will get out of hand to manage, as the population of the realm increases
Kind Regards,
Chirag Unnadkat
Business Analyst
Cerillion plc
E. chirag.unnadkat(a)cerillion.com<mailto:chirag.unnadkat@cerillion.com>
T. 0207 9276029
W. www.cerillion.com<http://www.cerillion.com/>
Addr. 25 Bedford Street, London, WC2E 9ES, UK
________________________________
Cerillion Technologies Limited is a limited liability company registered in England No. 3849601 with Registered Office at 25 Bedford Street, London WC2E 9ES. VAT registration No. 743 8054 29. Website www.cerillion.com<http://www.cerillion.com>
This email and any attachments with it are intended for the addressee only. It is confidential and may be the subject of legal and/or professional privilege. If you have received this email in error please notify the sender, destroy any copies and delete from your computer systems as any use, disclosure, dissemination, forwarding, printing or copying is strictly prohibited. The content may be personal or contain personal opinions and cannot be taken as an expression of Cerillion's position. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.
Cerillion reserves the right to monitor all incoming and outgoing mail. Whilst every care has been taken to check this outgoing email for viruses, it is your responsibility to carry out any checks upon receipt.
________________________________
5 years, 7 months
How to get the role -> permissions for an authenticated user
by Ori Doolman
Hi,
I have a web application (Angular) which calls a REST API in a Java microservice.
In my application, which manages books, I have a "regular" and "admin" roles.
"regular" is allowed to execute API readBook.
"admin" is allowed to execute APIs readBook, deleteBook, createBook.
The mapping between the user roles to the permissions (book:read , book:create, book:delete) is currently in my app DB. I guess I can migrate all roles and permissions into Keycloak using the resources/permissions/policies entities.
I get an access token in the client (using code flow or implicit flow). The token contains the current user roles. But not the permissions.
When I call my REST API I send the access token to my REST endpoint in the http header. The token contains the user roles, but not the user permissions. In fact, what I really need is the user permissions for checking authorization.
1. What is the best practice of getting the user permissions in my REST service? Can I have them become part of the JWT access token when the token is created?
Or is there any other recommended way to "map" the roles into the effective permissions at runtime?
Maybe keep the role->permissions in my current DB and load them to service cache ?
2. I want to avoid calling Keycloak for every REST API call because this will result bad performance. From what I read, if I want to use Keycloak authorization services I must call Keycloak for every API request and get the permissions (an RPT token). Is that the only way?
1. Another alternative I thought of:
have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles "book:read" , "book:create", "book:delete" and for the "Regulars" group I will add only "book:read" role.
This way, if a user belongs to the admins group, he will have all the permissions (roles) in the JWT access token.
Thanks,
Ori.
----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
5 years, 7 months
[Keycloak-admin-client] An error message when changing password.
by Алексей Виноградов
Hello everyone.
I have a question about REST API of the Keycloak. When I attempt to change
password via REST API of user to that password that not meets security
constraints of Keycloak, I recieve BadRequestError without additional
information of what goes wrong. But when I change password in
Administration console I see an exact error.
So, how can I get a exact problem what wrong with my password?
My usecase is that:
I have a frontend (html/css) that communicates with a backend that
communicates with the Keycloak. An user wants to change password of his/her
account so he/she click on button on some form, and makes a request to
backend to change password. A backend processes that request and ask
Keycloak to change user password. In case that password doesn't meet
security constraint I want to provide to user exact error.
Thanks to all.
--
--
Best regards,
Vinogradov Alexey
vinogradov.a.i.93(a)gmail.com
+7 983 311 38 40
5 years, 7 months
Help for using Keycloak in Spring Boot
by Ali Ahmadzadeh Asl
Hi
First of all, excuse me for poor English.
I am trying to use Keycloak in Spring Boot 2, I read many articles about this matter, such as follow link:
https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/spring-b...
There was an issue that i can't resolve it. Resource and policy and permissions defined in admin panel for client, does not any effect on my server. For example I defined a resource for URL pattern /rest/* and a policy for having ROLE_REST, also I defined a permission for mapping this resource and policy.
But after running the server, I can use rest services without any limitation and authentication.
Now the question is: How can I manage Spring Boot application security and permissions from Keycloak admin panel?
Thank you
5 years, 7 months
Keycloak, SpringBoot, and Swagger-UI
by Ali Ahmadzadeh Asl
Hi Dears
I have a Spring Boot project which uses Swagger-UI library for describing and testing REST services. Everything was ok until I added Keycloak library and settings to my project. The Keycloak settings are:
keycloak.realm=my-realm
keycloak.resource=my-app
keycloak.ssl-required=external
keycloak.enable-basic-auth=true
keycloak.autodetect-bearer-only=true
keycloak.use-resource-role-mappings=true
keycloak.principal-attribute=preferred_username
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.credentials.secret=f3776b88-2600-44fa-83ec-67cb72fa0000
keycloak.policy-enforcer-config.on-deny-redirect-to=/access-denied
keycloak.securityConstraints[0].authRoles[0] = USER
keycloak.securityConstraints[0].securityCollections[0].name = default
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /*
Now, when a logged in user wants to see Swagger-UI page using a URL like http://127.0.0.1:6060/swagger-ui.html, a message containing bellow text and a text box shown:
"Unable to infer base url. This is common when using dynamic servlet registration or when the API is behind an API Gateway. The base url is the root of where all the swagger resources are served. For e.g. if the api is available at http://example.org/api/v2/api-docs then the base url is http://example.org/api/. Please enter the location manually: "
But the JSON of services' definitions is accessible from http://127.0.0.1:6060/v2/api-docs address.
Can anybody help me to solve this problem? What is the reason for this matter? How can I resolve?
Thanks
5 years, 7 months
Client Admin
by Fabio Ebner
there is one sample to how create and update users in a java application?
all sample I have found are older and don`t works in java 1.8 and that
dependency
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-admin-client</artifactId>
<version>6.0.1</version>
</dependency>
5 years, 7 months
Question about how to extend or know more about keycloak
by Paul Luk
Hi all,
i am now checking keycloak to see whether i can adopt it and extend it
to fulfill my project's requirement.
However, when i try to check the source code in github, i found there is
almost no comment on the source code of keycloak!!!
The javadocs are empty:
https://www.keycloak.org/docs-api/6.0/javadocs/index.html
i am quite surprise that how you guys can develop and maintenance
keycloak!
Without the code comment or javadocs, it will difficult for me to study
and extend keycloak (not even enough for creating SPI)
Thanks.
5 years, 7 months
Re: [keycloak-user] Custom REST endpoint not associated with a REALM
by Michael Dailous
Is there anyone that can provide some guidance on this?
Michael
-----Original Message-----
Date: Thu, 30 May 2019 17:45:12 +0000
From: Michael Dailous <mdailous(a)forensiclogic.com>
Subject: [keycloak-user] Custom REST endpoint not associated with a
specific REALM
To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Message-ID:
<BYAPR09MB2549F8DA4ED6A39523363562D6180(a)BYAPR09MB2549.namprd09.prod.outlook.com>
Content-Type: text/plain; charset="us-ascii"
Hi,
We are looking to implement a REST endpoint that will be used to query the REALM information associated with a specified user. The REST endpoint will be publicly available and used as part of the Authentication process, identifying which Keycloak REALM should be used during the client authentication process. We've created REST endpoints that are available through a REALM, such as "/auth/realms/master/admin-extensions/...". Those specific REALMs are accessed post authentication. For this REST endpoint, we're looking to access it generically pre authentication.
Is it possible to create a custom REST endpoint that's not associated with a specific REALM?
Thanks,
Michael
------------------------------
5 years, 7 months