Keycloak Plugin: How to retrieve list of synced users form Federated LDAP in EventListener
by Paul Edison
Hi,
I’m trying to write a plugin for Keycloak that should work (“export”) with the data of users that get created.
Currently writing it as a EventListerner Plugin that acts on adminEvents.
If a user is created in Keycloak itself in the local store this works fine.
With the event I get the "resourcePath=users/0958198e-7a5d-4fb3-9b1b-2481841bff3f"
and with that I can access the user:
> UserModel user = session.users().getUserById(<ID>, session.getContext().getRealm());
Thats fine – but with federation I got problems.
In the event of synchronisation I don’t get this information.
I only get the "resourcePath=user-storage/381a8a65-c425-487e-b14a-a1186fda5940/sync"
How would I get the users form that info?
Is there a way to get form the session the list of synced users form that ID?
And in best case a list of new users and only updated users?
Kind regards,
Paul
5 years, 4 months
Audience claim in Keycloak access tokens
by Peemöller, Björn
Hi everyone,
I have some questions about the audience claim in JWT and how they are handled in Keycloak, maybe someone can help me?
During an upgrade of our Keycloak instances from 4.1.0 to 6.0.1, we discovered that the handling of the audience claim changed for at least the following scenario:
- A technical (service) user obtains a token for the client clientA using the endpoint /realms/{realm-name}/protocol/openid-connect/token
- In the scope mappings of client A, the client roles of client clientB are added
Using Keycloak 4.1.0, the returned JWT contains
...
"aud": "clientA",
"azp": "clientA",
...
while using Keycloak 6.0.1, the JWT contains
...
"aud": "clientB",
"azp": "clientA",
...
While I understand that the second variant better allows to securely use the token also for client clientB, the token can no longer be used for the clientA if the client validates the token's audience, although the client was explicitly requested for clientA.
The Keycloak documentation [1] says that the client for which the token is issued will not be contained in the audience of the access token but can be added using the hardcoded audience mapper, which indeed leads to the claims
...
"aud": [
"clientA",
"clientB",
],
"azp": "clientA",
...
Now my questions: What is the rationale behind this behavioral change from Keycloak 4.1.0 to Keycloak 6.0.1? Why is the client for which the token is issued not included in the access token's audience? I mean, finally, it is the client the token is requested for.
Many thanks in advance,
Björn
[1]: https://www.keycloak.org/docs/latest/server_admin/#_audience
Bei Berenberg hat der Schutz Ihrer Daten seit jeher höchste Priorität. Informationen zum Umgang mit personenbezogenen Daten finden Sie hier: https://www.berenberg.de/files/Rechtliche%20Hinweise/DSGVO/DSGVO-Kundenin...
Diese Nachricht einschliesslich etwa beigefuegter Anhaenge ist vertraulich und kann dem Bank- und Datengeheimnis unterliegen oder sonst rechtlich geschuetzte Daten und Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder diese Nachricht irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender über die Antwortfunktion. Anschliessend moechten Sie bitte diese Nachricht einschliesslich etwa beigefuegter Anhaenge unverzueglich vollstaendig loeschen. Das unerlaubte Kopieren oder Speichern dieser Nachricht und/oder der ihr etwa beigefuegten Anhaenge sowie die unbefugte Weitergabe der darin enthaltenen Daten und Informationen sind nicht gestattet. Wir weisen darauf hin, dass rechtsverbindliche Erklaerungen namens unseres Hauses grundsaetzlich der Unterschriften zweier ausreichend bevollmaechtigter Vertreter unseres Hauses beduerfen. Wir verschicken daher keine rechtsverbindlichen Erklaerungen per E-Mail an Dritte. Demgemaess nehmen wir per E-Mail auch keine rechtsverbindlichen Erklaerungen oder Auftraege von Dritten entgegen.
Sollten Sie Schwierigkeiten beim Oeffnen dieser E-Mail haben, wenden Sie sich bitte an den Absender oder an info(a)berenberg.de. Unsere Hinweise zum Schutz personenbezogener Daten finden Sie unter https://www.berenberg.de/files/Rechtliche+Hinweise/DSGVO/DSGVO-Kundeninfo....
5 years, 4 months
difference between openid connect 1.0 and keycloak open id connect identity providers
by Madhu
Whats the benefit and advantage of using keycloak openid connect identity provider over the standard open id connect 1.0 provider, i dont seem much literature around this in the latest keycloak documents? The identity provider page /configurations too looks very same..
When should i use keycloak openid connect and when open id connect?
RegardsMadhu
5 years, 4 months
extending SAML session with Azure ID via Keycloak
by Nijo Johny
Hi,
Our Application setup details
---------------------
Keycloak version: 3.3.0 Final
Keycloak acts as Broker.
Azure AD configured as identity provider over SAML.
Problem statement: Not able to renew and extract new SAML assertion from
Azure AD.
Our app is secured using Keycloak over Open ID Connect with JWT token. We
are leveraging Keycloak Identity Brokering to use Customer's Azure AD as
the Identity Provider. Once user login, we need invoke customer API by
sending SAML assertion issued by Azure AD.
We can extract SAML issued by IDP from keycloak via GET
/auth/realms/{realm}/broker/{provider_alias}/token HTTP/1.1. Keycloak is
always returning same SAML assertion, one issued on login even if expired.
Keycloak issues new JWT token to our app via refresh token exchange our
side. But we need valid SAML assertion to call customer API.
Is there a way to renew session with AD via keycloak? Passive SAML2 Auth
request is what I found as a solution for this. Is this supported from
Keycloak when it acts as a broker?
Any help is appreciated.
This e-Mail may contain proprietary and confidential information and is
sent for the intended recipient(s) only. If by an addressing or
transmission error this mail has been misdirected to you, you are
requested to delete this mail immediately. You are also hereby notified
that any use, any form of reproduction, dissemination, copying,
disclosure, modification, distribution and/or publication of this e-mail
message, contents or its attachment other than by its intended recipient/s
is strictly prohibited. Visit us at https://www.intellectdesign.com
5 years, 4 months
Implementing Multi-tenancy through Keycloak
by Dhara Basida
Hi Team,
We are currently planning to integrate our application with keycloak in
order to achieve multi-tenancy. We have hierarchy like :
1) Super Admin : Who have access to eveything and will create tenant.
2) Tenant Admin : This admin can create their Members and one tenant
admin cannot see the data of another tenant admin or Tenant. Also he
could not able to see any details of Super Admin.
3) Members : Member are specific to Tenant. Member have rights to
create their employees and roles which are applicable for their
employees. But Member cannot see details of other Members or their
Tenant Admin.
4) Employees : Employees are users who can only have view permissions
for role applicable to them and manage their profile. He could not able
to see any details of Member or Tenant.
QUestions :
I have created admin and tenant. I have link admin with Super Admin
and Tenant Admin with Realm admin. For Member I linked it with Client
but somehow I don't find the way to manage it. As I am not able to
create Employees from member (Not able to get Add options for users and
If I enable manage users or view users role from tenant admin than I can
also see data of tenant which is wrong).
Kindly provide the way to achieve these hierarchy.
Thank you,
Dhara Basida
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
5 years, 4 months
Running keycloak with azure web app for containers
by Neba Medard
Hello i have been trying to run keycloak in azure now with some problems
Am running keycloak as a container in azure using web app for containers
Am getting the keycloak image from docker hub and when i run the container
and serve the page and then try to navigate to the administration console,
it shows the page "we are sorry, invalid parameter:redirect_uri"
Am not even able to reach the administration console
Is there any configuration needed?
Just to let you know i am a junior developer and am starting with keycloak
Any help will be much appreciated
5 years, 4 months
Keycloak, Samba, and ldap password modify extended operation (RFC3062)
by Gary Kennedy
Someone has installed the smbk5pwd module into our ldap system used by our Keycloak instance. They wish to share the ldap service with another system that needs the samba password hash attributes. Unfortunately this means I now need keycloak to perform the ldap v3 password modify extended operation.
I've hacked this into our current user federation provider (which apparently extends the in-built ldap one), by having the provider implement `CredentialInputUpdater`, and everything is working within the realms of our tests.
What I am interested in, is if there is already usable work out there in having Keycloak use the password modify extended operation? and/or how other people have integrated similar requirements (ldap password modify extended operation, or samba/extra password hashes in ldap) - without extending too much of Keycloak (I was sooo close to removing our custom user federation provider) :p
Cheers,
Gary
5 years, 5 months
Alternative to Kerberos & Custom Use Case
by Aditya Bhole
Hi,
Are there any other mechanisms in Keycloak apart from Kerberos which can establish something similar to a cross realm trust?
Also, consider this use case: We have App A and App B. App A and App B may have different Keycloak instances or maybe in different realms of the same Keycloak instance. User logs into App A. He clicks on a button in App A which is supposed to take him to App B. The user now has a JWT when he logged into App A. Now App B knows that all the redirects are going to be from App A. So can App B verify the token through App A?
Regards,
Aditya
5 years, 5 months