Getting AuthenticationConfig from RequiredAction
by Lukasz Lech
Hello,
Is it possible, that RequiredAction implementation would get AuthenticatorConfig?
I need to access configuration parameters when I process the template. I have RequiredActionContext, but getAuthenticatorConfig() is available on AuthenticationFlowContext...
It has to do with my previous emails about the SMS 2FA.
I'm in this class https://github.com/nickpack/keycloak-sms-authenticator-sns/blob/develop/s...
And instead of pseudo-verification of phone number by tipping it twice I'm going to send SMS and expect to re-enter it on second page. But to send SMS, I need the configuration defined under Authentication -> Flows.
Btw. I need to call more methods from Context, but they are defined in both RequiredActionContext and AuthenticationFlowContext (getRealm, getSession etc.). Is there a reason why those interfaces have no common parent interface, although they share a pack of common methods?
Best regards,
Lukasz Lech
5 years, 6 months
Error creating realm role with attributes
by Rafael Tovar.
Hi everybody,
I'm trying to create a realm role with custom attributes.
When i make this POST request:
/auth/admin/realms/master/roles
with the following body:
{
"name":"test_user",
"description": "im a test user",
"attributes": {
"color": "#555"
}
}
I get the error: Cannot deserialize instance of `java.util.ArrayList` out
of VALUE_STRING token
And when i try the request with this body:
{
"name":"test_user",
"description": "im a test user",
"attributes": {
"color": ["#555"]
}
}
I get a 201 but the role is created without the color attribute.
Thanks,
Rafael.
5 years, 6 months
exchange token cross realm
by triton oidc
Hi keycloak users !
my target is to exchange an OIDC access token (linked to a user)
from an app1 in a realm 1 to an app2 in a realm two.
I'm using 4.8.3.Final on both IDP
Using curl script, it works great (minus a user linking issue)
However I'm looking for a prod ready implementation, and i can't give all
the credentials to the calling API.
In my example, the API 1 would need
the client id / secret on the IDP1, used for the link to IDP2
the client id / secret on the IDP2, used for the link to IDP1
I can't put that in my procedure.
I therefore created a new component that does the mapping, and this
component does have the credentials on both IDP.
The complexity is increased, and my boss is not convinced creating an
exchange component is the best way to solve the issue
link to the sequence diagram
<https://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgRXhjaGFuZ2Ug...>
link to the source of the diagram
<https://www.websequencediagrams.com/?lz=dGl0bGUgRXhjaGFuZ2UgdG9rZW4gd2l0a...>
Is there a way to simplify this ?
like when i do two token exchange on the same realm App1 to App2 to App3
that i could use the credential shared between App1 and App2 to do the
exchange of the App2 token against an App3 token (only if the App1 token
can be exchange against an App2 token)
This way when i'll do a cross realm exchange, i won't need the credentials
of the current IDP, but only the App credentials.
Or some other way i have not figured at.
Thanks for any tips
Amaury
5 years, 6 months
Building master from source
by Lukasz Lech
Hello,
Is keycloak master meant to be built from source for non-keycloak-devs?
My local build fails because of
Plugin org.keycloak:db-allocator-plugin:7.0.0-SNAPSHOT or one of its dependencies could not be resolved: Could not find artifact org.keycloak:db-allocator-plugin:jar:7.0.0-SNAPSHOT in central
Best regards,
Lukasz Lech
5 years, 6 months
Scope Permissions with Resource Type
by Farzad Panahi
Hi,
I have a client authorization set-up like the following:
RERSOURCE_1: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
RERSOURCE_2: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
RERSOURCE_3: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
USER_1: USER_GROUP_A
USER_2: USER_GROUP_A
USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A
I want to create permissions to give only SCOPE_READ access (not
SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA.
If I create a resourced based permission then it will give grant access to
both scopes.
Unfortunately I cannot create a scope based permission because scope
permission does not support resource type. It only supports resource. If I
want to use scoped based permission then I have to create permission for
every single resource in my resource type.
I was wondering if there is a reason that scope based permission does not
support resource type?
Also anyone has any idea how I can achieve my requirement given the
limitations that we have? Is there a way to create a policy that grants
access only to a certain scope?
Cheers
Farzad
5 years, 6 months
Adding 2FA with SMS
by Lukasz Lech
Hello,
I'm analysing the requirement for adding 2FA with SMS to keycloak.
There is a ready project https://github.com/UKGovernmentBEIS/keycloak-sms-authenticator-sns and to activate this, you need to modify authentication browser flow.
This look quite cheaply made. First, SMS is always sent, but validated only if you set SMS validation to REQUIRED, second, you give your mobile number, and if it is wrong, you must call support to change that for you.
The correct way would be to make it analog to TOTP. A separate screen when you give your mobile number, and then give the validation code, and only then your mobile phone will be saved.
Could you please give me a hint, if adding second 2FA this way could be made via plug-in, so, by writing provider(s), changing themes and editing flows in administration, or it would require some changes to keycloak core code?
Were there any attemtps for writing alternative 2FA plugins working similar way as TOTP is working now?
Best regards,
Lukasz Lech
5 years, 6 months
keycloak heathcheck with microprofile
by Meissa M'baye Sakho
Hello everyone,
Have someone tried to crate health check with SmallRye and the new metrics
extension?
I've tried long ago Thomas darimont's following example [1] to implement
health check, but would like to know is someone has started something.
´1]=https://github.com/thomasdarimont/keycloak-health-checks/tree/master
thanks
--
Meissa Sakho, RHCA
Architect
Red Hat EMEA <https://www.redhat.com/>
msakho(a)redhat.com
M: +33-6-9559-7778
<https://www.redhat.com/>
5 years, 6 months
How to integrate 3rd-party 2FA with Keycloak
by Hyunji Kim
Hello all,
is there any way to integrate a 3rd-party 2FA with Keycloak so that the OTP
code is validated by the 2FA outside Keycloak?
My team is using Authy for 2FA and I'm trying to figure out how to
integrate it with Keycloak.
Thank you,
Hyunji
5 years, 6 months
OpenAPI (swagger) documentation
by Chris Couzens
Hello,
I've created an OpenAPI specification for Keycloak's admin Rest API.
https://github.com/ccouzens/keycloak-openapi/blob/master/keycloak/6.0.json
Feel free to make use of it.
It was generated by programmatically scraping the Keycloak Admin Rest API
documentation. This means it unfortunately has the same limitations (no
authz routes, the types having all fields as optional). But what is there
is complete and correct: all the paths [1] from the admin Rest
documentation, all the parameters, all the request [2] and response bodies
and their respective schemas.
I used it in a couple projects as I was putting it together. It meant I
didn't feel I was missing language specific clients for the Keycloak's API.
Kind regards,
Chris
[1] except this one. Whilst it might appear simple, it can't be represented
in OpenAPI because the path parameter would need to allow slashes
https://www.keycloak.org/docs-api/6.0/rest-api/index.html#_preflight
[2] except for the request bodies that are labelled FormData. This affects
4 routes. I expect they'd be relatively easy to implement, but those 4
routes being broken doesn't affect me. Pull requests welcome
https://www.keycloak.org/docs-api/6.0/rest-api/index.html#_uploadjks
5 years, 6 months
