Re: [keycloak-user] AUTHZ How can I provide custom attirbutes to JS policy?
by Brandon Williams
[forgot to reply all, forwarding to list in case others have same problem]
Thanks for the links, I found those methods via other means and was using
them already. Thanks for confirming that setting claims is the correct way
to push data into the policies.
Most of all, thanks for "just adding" that pushing claims requires a
service account. That was the part I missed and changing that everything is
working as expected now!
On Tue, Jun 11, 2019 at 8:39 AM Pedro Igor Silva <psilva(a)redhat.com> wrote:
> I'm not sure why this change is not in the latest documentation, but here
> is how [1] [2] you pass additional claims to your policies when using
> node.js adapter.
>
> I would just add that in order to push claims the request should be made
> by a resource server (your client configured with the authz services).
> Public clients cannot perform such requests as they can be easily
> manipulated.
>
> [1]
> https://github.com/keycloak/keycloak-documentation/pull/654/files#diff-02...
> [2]
> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixt...
>
> On Tue, Jun 11, 2019 at 8:56 AM Brandon Williams <brandon(a)amazee.io>
> wrote:
>
>> I'm using authorization services to protect an API (written in node.js). I
>> would like to use a custom javascript policy that gets information from
>> the
>> context to determine if a user has access or not. Here's an example:
>>
>> > var context = $evaluation.getContext();
>> > var contextAttributes = context.getAttributes();
>> >
>> > var myCustomData = contextAttributes.getValue('myCustomData');
>>
>> This works well when I'm testing the policy via the UI and using the
>> "Contextual information" section of the evaluate page.
>>
>> Now I'm trying to figure out how to send that data when I'm doing an authz
>> check from the API. In my API I'm using the "keycloak-connect" library and
>> using the grant manager to send authz requests. Link to relevant code:
>>
>> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/middlewar...
>>
>> My assumption is that I can add "myCustomData" to the claim_token for this
>> request, and it would be made available in the contextAttribute. I'm
>> following the examples to build the claim from these docs
>>
>> https://www.keycloak.org/docs/4.8/authorization_services/#_service_pushin...
>>
>> Whenever I try to add arbitrary data as a claim, even simple strings, I
>> get
>> errors from keycloak API that it can't find the bearer token. Just
>> removing
>> the claim_token makes the requests work.
>>
>> My two questions are: Is adding data as a claim the correct way to push
>> data into the policy evaluation context? If so, why are my claims failing
>> the requests?
>>
>> Thanks,
>> Brandon Williams
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
5 years, 7 months
AUTHZ How can I provide custom attirbutes to JS policy?
by Brandon Williams
I'm using authorization services to protect an API (written in node.js). I
would like to use a custom javascript policy that gets information from the
context to determine if a user has access or not. Here's an example:
> var context = $evaluation.getContext();
> var contextAttributes = context.getAttributes();
>
> var myCustomData = contextAttributes.getValue('myCustomData');
This works well when I'm testing the policy via the UI and using the
"Contextual information" section of the evaluate page.
Now I'm trying to figure out how to send that data when I'm doing an authz
check from the API. In my API I'm using the "keycloak-connect" library and
using the grant manager to send authz requests. Link to relevant code:
https://github.com/keycloak/keycloak-nodejs-connect/blob/master/middlewar...
My assumption is that I can add "myCustomData" to the claim_token for this
request, and it would be made available in the contextAttribute. I'm
following the examples to build the claim from these docs
https://www.keycloak.org/docs/4.8/authorization_services/#_service_pushin...
Whenever I try to add arbitrary data as a claim, even simple strings, I get
errors from keycloak API that it can't find the bearer token. Just removing
the claim_token makes the requests work.
My two questions are: Is adding data as a claim the correct way to push
data into the policy evaluation context? If so, why are my claims failing
the requests?
Thanks,
Brandon Williams
5 years, 7 months
Configuring unique user identifiers
by Paolo Tedesco
Hi all,
I'm trying to setup Keycloak as the Single Sign-On service at CERN, to replace our current service based on ADFS.
I would like to customize the unique identifiers used by Keycloak in its internal user database, to avoid possible email or username clashes.
My problem is that, in our environment, we allow users to change their email address, and also to use an external (non-CERN) address as their mail, and we saw that a user changing mail can lead to problems with Keycloak.
We tried using logins instead of emails as unique identifiers, but that creates possible clashes as well, as we don't have control over external IDPs logins.
We want to avoid that in case of these clashes the external IDP user is prompted to join their account to one of our accounts.
We thought that, to avoid this kind of clashes, we could add a postfix to the login, so that for example my CERN account could be identified as "ptedesco(a)cern.ch", without clashing with "ptedesco(a)github.com", but we couldn't find a way to do this, especially for Github or other social providers.
Is there a way to customize the unique user identifiers in Keycloak, either though configuration, or by coding some extension?
Thanks,
Paolo Tedesco
5 years, 7 months
Keycloak database startup error
by Abhishek Singh
Hi,
I'm trying to upgrade the standalone mode to cluster-mode in Keycloak and
for this i have configured a cluster using J groups and configured using
local mysql database.
The version is same as i have changed only conf file standalone-ha.xml .
The cluster is successfully formed and checked also.
Now when i'm pointing the both nodes to production database MySQL and
starts the keycloak it's generating Database error called “Failed to update
the database Table already exists”
I have tried every possible option my setting migration strategy as manual
in standalone-ha.xml nut noting works.
I'm using keycloak-3.4.3.Final version and Mysql
mysql-server-5.5-1.6.amzn1.noarch
Below is error code shown as exception by starting keycloak.
05:22:44,963 ERROR
[org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider]
(ServerService Thread Pool -- 62) Change Set META-INF/
jpa-changelog-1.0.0.Final.xml::1.0.0.Final::sthorger@redhat.com failed.
Error: Table 'APPLICATION_DEFAULT_ROLES' already exists [Failed SQL: CREATE
TABLE keycloak3_schema.APPLICATION_DEFAULT_ROLES (APPLICATION_ID
VARCHAR(36) NOT NULL, ROLE_ID VARCHAR(36) NOT NULL)]:
liquibase.exception.DatabaseException: Table 'APPLICATION_DEFAULT_ROLES'
already exists [Failed SQL: CREATE TABLE
keycloak3_schema.APPLICATION_DEFAULT_ROLES (APPLICATION_ID VARCHAR(36) NOT
NULL, ROLE_ID VARCHAR(36) NOT NULL)]
at
liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316)
at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55)
at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122)
at
liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247)
at
liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230)
at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548)
at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51)
at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73)
at liquibase.Liquibase.update(Liquibase.java:210)
at liquibase.Liquibase.update(Liquibase.java:190)
at liquibase.Liquibase.update(Liquibase.java:186)
05:22:44,983 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 62) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./auth:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
Please help for this issue.
Regards,
Abhishek
5 years, 7 months
KC as SAML SSO point for Atlassian Cloud Jira/Confluence
by Eugeniy Khvastunov
Hi Everyone!
The last few days I spent in search of a mistake that I am doing(or not) in
the integration of cloud Atlasian's applications and my KC. I see in SAML
tracer that KC sends information about the successful authorization of the
user, but atlassian responds with this error:
GET
application: jira continue:
https://MyKeyCloakTest.atlassian.net/login?redirectCount=1
error: access_denied
error_description: Invalid RSAES-OAEP padding.
state: a8185482ff7e070fc3f7c6a91c2aac21eecae80b`
Am I setting up a client incorrectly?
Perhaps one of you has already had experience with integration KC and
Atlassian's cloud applications through SAML? or met the integration
instructions/howto?
I would be grateful for any help!
--
wbr. Eugeniy Khvastunov,
System administrator.
[FMGH-UANIC]
http://blog.unlimite.net
5 years, 7 months
Get Keycloak to include AttributeConsumingServiceIndex in SAML2.0 AuthnRequest
by Georgi Matev
We are using Keycloak as identity federation gateway, and one of the IdPs we are trying to connect to requires that SAML requests specify a AttributeConsumingServiceIndex so that the desired requested attributed can be returned.
Have not been able to find a way to specify the index vlue so that the AttributeConsumingServiceIndex can be included in the request as part of configuring a SAML provider under Identity Providers. Any recommendations on how to configure this?
Thanks,
-Georgi
5 years, 7 months
Creating a user from a form different than the builtin registration form
by Georgi Matev
I’m trying to understand what would be the best option to create a user for one of our realms from a marketing webpage that collects a lot of the user inputs. I realize we can customize the registration page through a theme, but in this particular case the marketing page collects a lot of additional information that feeds into other systems and one of the actions that we want to happen is create a user. Ideally we want to be able to do this on the client side since the page overall submits its info to different system that we do not control.
Seems that if we can get our hands on the post URL that will be associated with the built-in registration page form, we can just do a POST to that, but we have not been able to find a good way to get that URL which includes a server side session_code parameter.
Any pointers are much appreciated.
Thanks,
0Georgi
5 years, 7 months
Where does the email URL come from?
by Jason Leach
Hi,
I’m having a problem with the email verification URL sent out by Keycloak. It shows as HTTP where as I would expect HTTPS; Keycloak is also expecting it to be HTTPS. Its probably because KC is behind a proxy (I have PROXY_ADDRESS_FORWARDING = true) on k8s. Everything else works great.
Any help figuring out how this is set or disabling the check would be great.
J.
5 years, 7 months
Gatekeeper header sanitization
by GARDAIS Ionel
Hi list,
I'd like to give a try to gatekeeper.
Currently our keycloak is behind an haproxy.
Are there any headers sanitization required for incoming requests ?
What if a request comes in with a crafted X-Auth-* entries ?
Thanks,
Ionel
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
5 years, 7 months
Keycloak Operator proposal
by Sebastian Laskawiec
Dear Community,
In the near-to-mid future we plan to start working on Keyclaok Operator.
Before we dive into the code, we'd like to share our plans with wider
audience.
A while ago, I created a small design document and issued a Pull Request
against the Keycloak Community repo: https://github.com/keycloak/keycloak-
community/pull/8
If you are interested in this topic, please grab a cup of coffee and give
us some feedback on the PR.
Thanks,
Sebastian
5 years, 7 months
