X509 Direct Grant with client certificate
by Chirag Unnadkat
Hi,
Is it possible to pass the same client certificate in a token request with different login credentials?
My current setup doesn't seem to allow this and I can't find any documentation saying this is not possible
I have configured an X509 Direct grant flow using X509/Validate Username(X.509 Config)
This is configured to take the Subjects Common Name, with the attribute "NAME"
I have configured a trust store with 1 certificate (want to share this across users)
When I add the Subject Common Name to user 1's attribute, they then require the key pair to generate a token, however once I share the same attribute details to user 2, both user 1 and 2 stop working. Maybe I am missing some configuration that will allow my users to share the same certificate
I ideally do not want to have one certificate per user as this will get out of hand to manage, as the population of the realm increases
Kind Regards,
Chirag Unnadkat
Business Analyst
Cerillion plc
E. chirag.unnadkat(a)cerillion.com<mailto:chirag.unnadkat@cerillion.com>
T. 0207 9276029
W. www.cerillion.com<http://www.cerillion.com/>
Addr. 25 Bedford Street, London, WC2E 9ES, UK
________________________________
Cerillion Technologies Limited is a limited liability company registered in England No. 3849601 with Registered Office at 25 Bedford Street, London WC2E 9ES. VAT registration No. 743 8054 29. Website www.cerillion.com<http://www.cerillion.com>
This email and any attachments with it are intended for the addressee only. It is confidential and may be the subject of legal and/or professional privilege. If you have received this email in error please notify the sender, destroy any copies and delete from your computer systems as any use, disclosure, dissemination, forwarding, printing or copying is strictly prohibited. The content may be personal or contain personal opinions and cannot be taken as an expression of Cerillion's position. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.
Cerillion reserves the right to monitor all incoming and outgoing mail. Whilst every care has been taken to check this outgoing email for viruses, it is your responsibility to carry out any checks upon receipt.
________________________________
5 years, 7 months
Browser Login vs Application Login(AWS SAML SSO)
by Siddiq Syed
Hi.,
I did the SSO setup for Amazon AWS using SAML and Keycloak.,
How to set up SSO for Amazon AWS using SAML and Keycloak
|
|
|
| | |
|
|
|
| |
How to set up SSO for Amazon AWS using SAML and Keycloak
A step-by-step guide on how to set up SSO for Amazon AWS using SAML protocol and Keycloak as Identity Provider
|
|
|
This works fine when I login with the browser using the url (http://testserver/auth/realms/master/protocol/saml/clients/amazon-aws) which re-directs me to AWS.,
But when I am doing programmatic(using jsoup) to get the SAML Response for AWS credentials this give me the below error
"You took too long to login. Login process starting from beginning."
Is there any setting in the Keycloak server for login timeout from non-browser call ?
Please help.
-Siddiq.,
5 years, 7 months
Authentication in services
by Simão Silva
Hi there,
I'm trying to implement a feature and I don't know how. I have my
keycloak running on local network in 192.168.X.Y:A and I have a
website on 192.168.X.Y:B, in other words, same IP, different ports.
What I want is to redirect the 192.168.X.Y:B to the keycloak
authentication page and then redirect back to website. How should I do
that?
Best regards,
Simão Silva
5 years, 7 months
How to get the role -> permissions for an authenticated user
by Ori Doolman
Hi,
I have a web application (Angular) which calls a REST API in a Java microservice.
In my application, which manages books, I have a "regular" and "admin" roles.
"regular" is allowed to execute API readBook.
"admin" is allowed to execute APIs readBook, deleteBook, createBook.
The mapping between the user roles to the permissions (book:read , book:create, book:delete) is currently in my app DB. I guess I can migrate all roles and permissions into Keycloak using the resources/permissions/policies entities.
I get an access token in the client (using code flow or implicit flow). The token contains the current user roles. But not the permissions.
When I call my REST API I send the access token to my REST endpoint in the http header. The token contains the user roles, but not the user permissions. In fact, what I really need is the user permissions for checking authorization.
1. What is the best practice of getting the user permissions in my REST service? Can I have them become part of the JWT access token when the token is created?
Or is there any other recommended way to "map" the roles into the effective permissions at runtime?
Maybe keep the role->permissions in my current DB and load them to service cache ?
2. I want to avoid calling Keycloak for every REST API call because this will result bad performance. From what I read, if I want to use Keycloak authorization services I must call Keycloak for every API request and get the permissions (an RPT token). Is that the only way?
1. Another alternative I thought of:
have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles "book:read" , "book:create", "book:delete" and for the "Regulars" group I will add only "book:read" role.
This way, if a user belongs to the admins group, he will have all the permissions (roles) in the JWT access token.
Thanks,
Ori.
----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
5 years, 7 months
Botched exporting a realm and reimporting it into another server
by Nick Stolwijk
Hello list,
I tried to export a realm from one server and importing it into another.
This went badly and I'm trying to recover.
What I did:
Old server:
/opt/jboss/keycloak/bin/standalone.sh -Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=/opt/jboss/keycloak-export.json
-Dkeycloak.migration.realmName=my_realm
-Djboss.socket.binding.port-offset=1000
New server:
/opt/jboss/keycloak/bin/standalone.sh -Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=/opt/jboss/keycloak-export.json
-Djboss.socket.binding.port-offset=1000
This went well, but I don't see the realm in the new server UI. When I try
to export it from the new server it seems to be there. When I try to re-add
the realm through the UI it complains about duplicate entries. (Which is
logical)
How can I remove the botched import or fix the import so that it shows up?
With regards,
Nick Stolwijk
~~~ Try to leave this world a little better than you found it and, when
your turn comes to die, you can die happy in feeling that at any rate you
have not wasted your time but have done your best ~~~
Lord Baden-Powell
5 years, 7 months
theme customization: organizing 'My Resources'
by Marek Lindner
Hi,
with a theme customization I am trying to organize the various resources
shared via UMA by essentially grouping them by type or uri. After poking in
the keycloak sources and searching on the internet, I haven't yet found a way
to access the resource type or uri via the ftl theme engine.
Can this information be added to the theme HTML via ftl or is there another
mechanism to make the 'My resources' pages more user friendly ?
Thanks,
Marek
5 years, 7 months
How to handle timeout for external IDP providers
by Bruce Wings
I have configured external SAML IDP (Okta) with keycloak. Now one of my the
apps(unchangeable) is directly connected to same SAML provider & need SAML
token when it's api is called from my app. Since keycloak provides a way to
retrieve SAML token through API :
/auth/realms/myRealm/broker/ping/token
I have obtained this SAML token and used for my API. But there is 1 problem.
Supoose expiry time of SAML token is 1 hour. And keycloak refresh token
expiry is 2 hour. My keycloak OIDC token will remain valid till 2 hours and
following URL : /auth/realms/myRealm/broker/ping/token will keep giving
expired SAML token (from 1 hour to 2 hour).
What is the best way to go around this issue?
5 years, 7 months
[Keycloak-admin-client] An error message when changing password.
by Алексей Виноградов
Hello everyone.
I have a question about REST API of the Keycloak. When I attempt to change
password via REST API of user to that password that not meets security
constraints of Keycloak, I recieve BadRequestError without additional
information of what goes wrong. But when I change password in
Administration console I see an exact error.
So, how can I get a exact problem what wrong with my password?
My usecase is that:
I have a frontend (html/css) that communicates with a backend that
communicates with the Keycloak. An user wants to change password of his/her
account so he/she click on button on some form, and makes a request to
backend to change password. A backend processes that request and ask
Keycloak to change user password. In case that password doesn't meet
security constraint I want to provide to user exact error.
Thanks to all.
--
--
Best regards,
Vinogradov Alexey
vinogradov.a.i.93(a)gmail.com
+7 983 311 38 40
5 years, 7 months
Keycloak LDAP dynamic mappers values
by Rodolfo
Hi all,
I have integrated my Keycloak instance with LDAP, I need to create user
with some attributes that not exists in create user form, like uidNumber
and etc. The uidNumber and homeDirectory need to be created dinamically, my
question is:
1. Can I create hardcoded-ldap-user-attribute that get the value
dinamically?
2. I can create more fields in create user form?
Thanks and Regards
Rodolfo Azevedo
5 years, 7 months
