KeyCloak Client Credentials pass http header values
by Rohit Chowdhary
I want to connect two applications ClientApp, ResourceApp securely on
behalf of a user via KeyCloak as the authorization server. User does a
login into ClientApp and then ClientApp calls REST APIs on Resource App in
the background. I have setup KeyCloak adjacent to ResourceApp and
configured ClientApp as a KeyCloak client. ClientApp gets the AccessToken
and then calls APIs on the ResourceApp. In this Auth process, I want to
communicate some information from ClientApp to ResourceApp via HTTP
Headers, so that KeyCloak can add them into the JWT Access Token. (The
reason I am trying this approach is that I will not need any user
maintenance within the KeyCloak and ResourceApp).
Questions: Am I trying to do something that is not possible or allowed in
such security setup? Is there a better way to achieve without having to
maintain Users and Roles in the KeyCloak server? I want KeyCloak to be just
a mechanism to offload token generation and as a security mediator. Or Can
I pass the header data from Auth request into the JWT token?
I looked into the Client Mappers of KeyCloak, but since there is a redirect
or forward within KeyCloak from Auth request to Get Token, the header
values are getting lost.
5 years, 4 months
Assign Roles to an LDAP user in Read only mode
by Harish Tammireddygari
Hi,
I am aware that if "Import users" is enabled, the users will be
automatically imported from LDAP into Keycloak and I can go to a user's
settings, and add roles to that user as needed. But in my case, I don't
want the users to be imported automatically and get access to the
application. I would like to restrict the access to a few LDAP users by
manually adding/importing LDAP users and assign roles to them.
I managed to create my own Rest endpoint to import the selected LDAP user
into Keycloak DB as a local user by adding the Federation link and required
LDAP attributes to the user. It is working fine. But the problem comes when
I assign a client level role to this imported user. It throws "Read-only
Mode" exception because "Import Users" is set to OFF in LDAP configuration.
I tried the below code to grant the roles to the user which works only
after the service. Is there a better way to assign the roles to an LDAP
user?
UserModel user = keycloakSession.userLocalStorage().getUserById(userId,
realm);
RoleModel roleModel = client.getRole(role.getName());
user.grantRole(roleModel);
Thanks.
5 years, 4 months
best way to save Keystore and Truststore passwords in standalone.xml?
by Chris Smith
How can the Keystore and Truststore passwords be reasonably saved? Just having them in plaintext in standalone.xml seems like kind of a "bad thing".
Keycloak is running as a specific Active directory user, so set standalone as only accessible to that user and Domain Admins?
5 years, 4 months
Can decrypt identified HS256 refresh token with RS256 public key with client credentials grant
by Eric Brown
Hello,
At first I struggled to understand why pyJWT was raising an error when
decoding a refresh token issued from keycloak using the client
credentials grant. The specified error was : "The specified key is an
asymmetric key or x509 certificate and should not be used as an HMAC
secret. "
I now understand the issue:
The refresh token identifies itself as being HS256 encrypted in header so
pyjwt raise an error when I try to decrypt it with keycloak public key.
The problem is that I am able to decrypt it with the public key when
bypassing verification with verify=False to pyjwt.decode.
The access token received are identified as RS256 and are fine.
Pyjwt behavior with enabled verify is thuscorrect when preventing decode of
HS256 tokens with public keys.
The problem now seems to be this:
Shouldn't it be impossible to decrypt the HS256 refresh token with the
public key at all?
So it might seem that the refresh tokens are incorrectly labelled as HS256
in header but at truly RS256.
Thanks,
Eric
5 years, 4 months
Gatekeeper failing to proxy for redirect or mobile! :(
by Nick Powers
I have Keycloak and Gatekeeper configured to use Google as an identity
provider to front end my PHP application and most of the time it works
great but sometimes it exposes my internal host (which Gatekeeper should be
proxying for). If I login from my desktop(chrome) it works fine unless
instead of clicking on a link my app tries to use a redirect header. i.e.
my PHP example: header("Location: /protected/dashboard"); When that
happens instead of redirecting to
https://commentcontext.com/protected/dashboard, like it should, I see
https://webapp/protected/dashboard in the URL field. This fails because
there is no DNS for webapp. webapp is the name I use internally and it
should never be exposed externally. Also, if I try to connect using my
phone or tablet (both android) I get through the Google authentication fine
but then it tries to send me to https://webapp/protected/dashboard, which
again is a FAIL :(
Why is Gatekeeper failing to proxy sessions when initiated via a redirect
or when they come from mobile browser? Has anyone seen this behavior
before? Any help anyone could provide on this issue would be greatly
appreciated.
Thanks,
Nick
5 years, 4 months
Keycloak Gatekeeper configuration with SPA
by Yumna Ghazi
Hello everyone,
I'm using Keycloak as an identity manager and since it also provides
optional authorization, I decided to use it to suit my access control
requirements as well. I have multiple microservices that I want to protect
using Keycloak Gatekeeper like the configuration below but with separate
Gatekeepers per service.
--------- ----------- -----------
------------
| UI | ---> | Proxy | ---> | GateK | ---> | Service |
--------- ------------ -----------
------------
| ||
| v
-----------------------------------> Keycloak
Aside from the CORS related issues this creates (KEYCLOAK-9099
<https://issues.jboss.org/browse/KEYCLOAK-9099>), there's another important
issue that I'm struggling with. My UI already has keycloak js integrated
with a public client specifically for itself, which I was using for login
initially. Now that I want to use the Gatekeeper proxy, I want my
login/token refresh to happen on the UI such that it would automatically
generate the requisite cookies for Gatekeeper, because I want to disable
redirection on Gatekeeper and send 401 directly in case of expired/bad/no
token.
a) Is my understanding correct and is this the correct approach?
b) If so, how can I login via Keycloak directly or via Gatekeeper and get
the required cookies (without some proxy-level hacking)?
Right now I'm hovering between a couple of options, from using Kong oidc
with some custom authorization to using Gatekeeper. Any help would be much
appreciated.
Thanks.
Yumna
5 years, 4 months
Hello mailinglist
by Xander
Hello everybody,
I just subscribed to this list and as a test, I wanted to give a friendly hello to everyone.
Best regards,
Xander
-- The Idiot Company
Met vriendelijke groet,
With kind regards,
Xander Smalbil
THE IDIOT COMPANY
Staalsteden 4-3A
7547 TA Enschede
The Netherlands +31 (0)53 20 30 275
info(a)theidiotcompany.eu
WWW.THEIDIOTCOMPANY.EU
5 years, 4 months
jboss-cli SSL access to keycloak Management interface usage, in Elytron 2-way SSL config, failing: "problem accessing trust store: DerInputStream.getLength(): lengthTag=78, too big" ?
by PGNet Dev
I'm setting up a new install of keycloak 7.0.0 for 2-way TLS
Starting with a working http controller
/opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser --password=mgmtpass \
--controller=remote+http://10.0.0.1:9990 \
version
JBoss Admin Command-line Interface
JBOSS_HOME: /opt/keycloak
Release: 9.0.2.Final
Product: Keycloak 7.0.0
JAVA_HOME: /usr/lib64/jvm/java-11-openjdk
java.version: 11.0.4
java.vm.vendor: Oracle Corporation
java.vm.version: 11.0.4+11-suse-lp151.131.1-x8664
os.name: Linux
os.version: 5.2.11-26.gd6e8aab-default
I configure JCEKS key-stores, and enable https for admin user access,
/subsystem=elytron/key-store=twoWayKS:add(path=/etc/keycloak/keystore.server.jceks,credential-reference={store=master-cs, alias=ks-pass},type=jceks)
/subsystem=elytron/key-store=twoWayTS:add(path=/etc/keycloak/truststore.server.jceks,credential-reference={store=master-cs, alias=ks-pass},type=jceks)
/subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,credential-reference={store=master-cs, alias=ks-pass})
/subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS)
/subsystem=elytron/server-ssl-context=twoWaySSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true)
batch
/subsystem=undertow/server=default-server/http-listener=default:remove()
/subsystem=undertow/server=default-server/https-listener=https:remove()
/subsystem=undertow/server=default-server/https-listener=default:add(socket-binding=https,ssl-context=twoWaySSC,enable-http2=true)
run-batch
At this point,
egrep "http-listener|https-listener" /usr/local/etc/keycloak/*/*/standalone.xml
<https-listener name="default" socket-binding="https" ssl-context="twoWaySSC" enable-http2="true"/>
and I can verify admin UI via http in browser has been disabled,
http://10.0.0.1:8080/auth/admin
"Unable to connect"
and https is enabled,
https://10.0.0.1:8443/auth/admin
LOGIN is OK
I still have http:// mgmt controller access at cmd-line
/opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser --password=mgmtpass \
--controller=remote+http://10.0.0.1:9990 \
version
JBoss Admin Command-line Interface
JBOSS_HOME: /opt/keycloak
Release: 9.0.2.Final
Product: Keycloak 7.0.0
JAVA_HOME: /usr/lib64/jvm/java-11-openjdk
java.version: 11.0.4
java.vm.vendor: Oracle Corporation
java.vm.version: 11.0.4+11-suse-lp151.131.1-x8664
os.name: Linux
os.version: 5.2.11-26.gd6e8aab-default
Setup 2way SSL for the Management interface,
batch
/core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)
/core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=twoWaySSC)
/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
/subsystem=elytron/client-ssl-context=twoWayCSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM)
run-batch
and verify *managment* UI https in browser,
http://10.0.0.1:9990
REDIRECTS TO https://10.0.0.1:9993
and
https://10.0.0.1:9993
LOGIN is OK
works as expected.
But, checking cmd-line https access,
/opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser --password=mgmtpass \
--controller=remote+https://10.0.0.1:9993 \
-Djavax.net.ssl.trustStore=/etc/keycloak/truststore.client.jceks \
-Djavax.net.ssl.keyStore=/etc/keycloak/keystore.client.jceks \
-Djavax.net.ssl.trustStorePassword=keypass \
-Djavax.net.ssl.keyStorePassword=keypass \
version
where,
keytool -list -storetype jceks -storepass keypass -keystore ./keystore.client.jceks
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 1 entry
client-keystore, Sep 6, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 1F:...:6F
keytool -list -storetype jceks -storepass keypass -keystore ./truststore.client.jceks
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 1 entry
client-keystore, Sep 6, 2019, trustedCertEntry,
Certificate fingerprint (SHA-256): 1F:...:6F
fails with
Failed to connect to the controller: Failed to resolve host '10.0.0.1': Failed to obtain SSLContext: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext): problem accessing trust store: DerInputStream.getLength(): lengthTag=78, too big.
What's in my config, or missing from it, that's causing this error?
5 years, 4 months
Two clients to share tokens
by Yang Yang
Hello,
Is it possible for two clients of the same realm share tokens?
I am aware that when a user gets the token for a client, she will be redirected to get a new token when accessing another client. This is reasonable and necessary to stop attacks like CSRF, but if both of the two clients are trusted and registered on the same realm, we may be able to simplify the process.
If possible, could you help to tell how to do it?
Thanks,
Yang
5 years, 4 months
Evaluation of RPT in admin console does not match Rest request result...
by Axel
Hello.
Keycloak 6.0.1 and 7
Can anyone help me with understanding of evaluating RPT?
Scenario:
2 Realm Roles - RoleA and RoleB
1 user with both realm roles
2 clients:
clientA public (or confidential) with Scope=RoleA
clientB confidential and Authorization-Enabled with Scope=RoleA,RoleB
When I go to clientB
Authorization-Evaluate
set Client = clientA
set User = user
choose Any resource with scope(s) Any scope.
and see:
{
"jti": "7692f97f-3907-4e1b-a784-663c52f33bc7",
"exp": 1567062109,
"nbf": 0,
"iat": 1567061809,
"aud": "clientB",
"sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607",
"typ": "Bearer",
"azp": "clientA",
"auth_time": 0,
"session_state": "ff2e581c-0663-4b8c-9332-629b02c02729",
"acr": "1",
"realm_access": {
"roles": [
"RoleA"
]
},
"authorization": {
"permissions": [
{
"rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139",
"rsname": "Default Resource"
}
]
},
"scope": "email profile",
"email_verified": false,
"preferred_username": "user"
}
here I see that I have only RoleA (that is correct - I'm going through
clientA)
But when I make requests:
curl -d 'client_id=clientA' -d 'username=user' -d 'password=1' -d
'grant_type=password' '
http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token'
grab access-token and
curl -X POST \
http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token \
-H "Authorization: Bearer access-token-from-first-curl" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "audience=clientB"
I get different jwt:
{
"jti": "f956218e-abcf-4017-a6b2-d9c3c82692a2",
"exp": 1567062641,
"nbf": 0,
"iat": 1567062341,
"iss": "http://localhost:8280/auth/realms/TestRPT",
"aud": "clientB",
"sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607",
"typ": "Bearer",
"azp": "clientA",
"auth_time": 0,
"session_state": "4d556dd0-4d27-4028-ac1d-54afd2e1f20e",
"acr": "1",
"realm_access": {
"roles": [
"RoleB",
"RoleA"
]
},
"authorization": {
"permissions": [
{
"rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139",
"rsname": "Default Resource"
}
]
},
"scope": "email profile",
"email_verified": false,
"preferred_username": "user"
}
Why "RoleB" is in RPT? Do I understand documentation wrong? Wrong RPT
request?
Our main target is: when user goes through clientA to clientB, clientB
should receive only those roles that the user has in clientA. We have many
applications-clients and we want to limit some of them. How can we achieve
this?
Thanks in advance.
Alexey Makarevich.
5 years, 4 months
