OIDC / SAML client access restriction
by Steeve C
Hi,
I'm looking for a way to restrict user access to a given OIDC (and / or
SAML) client for a given realm. I've tried to configure it using OIDC
"Authorization" feature by modifying the "Default policy" JS code to:
```
$evaluation.deny();
```
But without success, users are still able to connect to the client.
I've also tried to create a client role, but even if the user doesn't have
this role he can login to the application.
Can you confirm me that it is possible to restrict user login access to
given user(s) / group(s) at the IdP level (keycloak) without modifying the
client (like without checking which role the user have)?
If it's possible, then could you explain me which process should I use?
(it's not very clear to me at the moment).
Thanks,
Steeve
5 years, 3 months
Sign in with Apple?
by Jeffrey Sambells
Is there a way to configure Sign In with Apple using the existing Keycloak tools or does it require a custom identity provider?
Thanks,
Jeffrey
5 years, 3 months
Admin console: Custom roles
by Pavel Micka
Hi,
We hit the following issue: in our system, we need to have users, who are allowed to manage users, but not to delete them from the system (they may just disable them, so we still have the user object available for other parts of the system).
The issue is that Keycloak does not have a role for this particular task - whoever has manage-users, can also perform the delete. Is there any way to extend the default KC behavior and add a role requirement for the given REST endpoint? Our idea was to introduce a role delete-users, that will be required for this operation (either as a replacement for manage users for this endpoint, or as additional pre-requisite).
Or is there some other way to achieve this?
Thanks,
Pavel
We also looked at fine-grained permissions, but those do not seem to support this scenario.
5 years, 3 months
Link directly to the Registration page
by Stuart
Hi all,
Is it possible to send users directly to the 'register' page, instead of
going via the login page first?
I've tried pasting the 'register' link, but I get errors if I've not
visited the login page first. (I guess because if the tab_id parameter).
Thanks,
Stuart.
5 years, 3 months
register new user; redirect to specific client url
by John Norris
I have an app secured by keycloak. Going to a secured page brings up a keycloak login page and the correct user/password gives the expected results.
Within the client, I have switched on user registation. So now the login page shows a register link, which displays another keycloak page allowing the user to register with name, username, email.
This "works" in that the user is added to the keycloak user database. But the application displays the error page because a role is not mapped to that user in keycloak.
What I would like to happen is to be able to add the new user to the apps own user database, associate a role with the user, perhaps do some verification of the user.
So I don't really know what keycloak is sending back to the app except that it eventually leads to /error. Is there a way to tell keycloak after a new registration contact this url where things can happen within the app?
I realise that I could set a default role. But I really want a way of telling keycloak to go to a specific URL after a new user registration is completed.
Regards,
5 years, 3 months
refresh token in keycloak
by John Norris
Hello,
I am trying to use a refresh token from keycloak. Little unsure as to what is supposed to happen. Am I supposed to receive another access token after the original expires?
Anyway, I can use the original access token via curl and receive data from my application. But when It try to get a new access token using my refresh token,
$ curl -v --data "grant_type=refresh_token&client_id=bikes-app&refresh_token=$RTOKEN" https://mint191:8080/auth/realms/SpringBootKeycloak/protocol/openid-conne...
* Trying 127.0.1.1...
* TCP_NODELAY set
* Connected to mint191 (127.0.1.1) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
$ echo $RTOKEN
eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIzOWE1MjY3ZC03NDI1LTQwNmUtOTAxYi0wYWI5Mjc2NjJkMzkifQ.eyJqdGkiOiIyNjJlMGViZS1hODIwLTRjZGEtYjAxZC1hMmE2ZGFjNTYwNjYiLCJleHAiOjE1Njk0MDYwMDQsIm5iZiI6MCwiaWF0IjoxNTY5NDA0MjA0LCJpc3MiOiJodHRwOi8vbWludDE5MTo4MDgwL2F1dGgvcmVhbG1zL1NwcmluZ0Jvb3RLZXljbG9hayIsImF1ZCI6Imh0dHA6Ly9taW50MTkxOjgwODAvYXV0aC9yZWFsbXMvU3ByaW5nQm9vdEtleWNsb2FrIiwic3ViIjoiMDQxN2YxNTQtNGQ4MS00Yjg2LTk4MjctZTQxMzg4N2Q3NGNkIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImJpa2VzLWFwcCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjlhZDRmNTUyLTAwMDItNGY5ZS05ZGFlLTE4MmI4MjkxNTBlNiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwidXNlciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.WoX78QkWZX5AwYBKTy4I8H0ia0O1IR5A8dS93p6bzqg
I get the original token with
RESULT=`curl -s -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=user1&grant_type=password&client_id=bikes-app&password=123456' http://mint191:8080/auth/realms/SpringBootKeycloak/protocol/openid-connec...
and then get the token and refresh token variables.
Regards,
John
5 years, 3 months
Single-Realm installation, start page, less deep links?
by Felix Schäfer
Hello,
I’m looking for some pointers regarding a few irks we still have with our Keycloak installation. Our Keycloak currently is a frontend for our LDAP and the place our users can change their password, emails, and so on.
As this realm, i.e. the realm managing and fronting the LDAP, will ever be the only one, is there a way to change the / (root) link to go to that realm or its login page instead of showing the default start page? Furthermore, the /auth/realms/some-realm part of the URL feels kinda redundant, any way I can just remove it, and be it with a rewriting rule in our reverse proxy?
Thanks,
Felix
5 years, 3 months
Re: [keycloak-user] Map group attributes to users
by i need to know how to add new attribute to user with keycloak admin rest api
I want to add custom attribute to user with java admin rest api can you help me please or give me exemple.thanks.
Sent from Mail for Windows 10
5 years, 3 months
web.xml constraints question
by Turner, George
First, I using the adapters in a WildFly server.
I am using a web application configuration.
All works well, but for a possible "nuisance" I am seeing in the logging, that may just be because I have TRACE logging turned on.
My web.xml has two security constraints, but only one has a user role constraint, thus the "unprotected" resources should be entirely ignored by the Keycloak processing:
<security-constraint>
<web-resource-collection>
<web-resource-name>unprotected</web-resource-name>
<url-pattern>/shortcut.ico</url-pattern>
<url-pattern>/features/*</url-pattern>
<url-pattern>/plugins/*</url-pattern>
<url-pattern>/registerForClock/*</url-pattern>
<url-pattern>/registerForCallbacks/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>PremiereClientAccessRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
My issue is I simply had too many problems with the websocket paths (register*) and so exclude them until I can get more time to work them. I also have to exclude the features and plugins paths, as those are accessed by a Java Web Start JNLP application, that simply cannot pass any kind of OAuth credentials, I can only make it pass a JSESSIONID query parameter.
When that occurs, I get this output:
2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.elytron.ElytronSessionTokenStore] (default task-8) Account was not in session, returning null
2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) there was no code
2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) redirecting to auth server
2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) callback uri: https://ispace.space.smil:8443/premiereclient/plugins/org.eclipse.equinox...
2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) Sending redirect to login page: https://iskeycloak:8443/auth/realms/ispace/protocol/openid-connect/auth?r...
2019-09-25 05:49:05,657 INFO [io.undertow.request.dump] (default task-8)
----------------------------REQUEST---------------------------
URI=/premiereclient/plugins/org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar
characterEncoding=null
contentLength=-1
contentType=[application/x-java-archive]
header=Accept=text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
header=Cache-Control=no-cache
header=accept-encoding=pack200-gzip,gzip
header=UA-Java-Version=1.8.0_221
header=Pragma=no-cache
header=User-Agent=JNLP/1.7.0 javaws/11.221.2.11 (<internal>) Java/1.8.0_221
header=If-Modified-Since=Tue, 24 Sep 2019 23:11:52 GMT
header=Connection=keep-alive
header=content-type=application/x-java-archive
header=Host=ispace.space.smil:8443
locale=[]
method=HEAD
parameter=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX
protocol=HTTP/1.1
queryString=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX
remoteAddr=tlsdorl9166lg3.us.lmco.com/172.22.1.138:2503
remoteHost=tlsdorl9166lg3.us.lmco.com
scheme=https
host=ispace.space.smil:8443
serverPort=8443
isSecure=true
--------------------------RESPONSE--------------------------
contentLength=0
contentType=null
header=Connection=keep-alive
header=Content-Length=0
header=Date=Wed, 25 Sep 2019 05:49:05 GMT
status=200
It "says", it is sending a redirect, but there is no Location parameters in the RESPONSE, so it just downloads the jar and everything works fine, but it is "disconcerting" that it is "attempting", even though that URL is excluded per the security constraints.
In the case of the websocket paths, something similar occurs:
2019-09-25 05:49:25,699 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (default task-7) Evaluating request for path [https://ispace.space.smil:8443/premiereclient/registerForCallbacks/9c84cc...]
2019-09-25 05:49:25,699 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-7) adminRequest https://ispace.space.smil:8443/premiereclient/registerForCallbacks/9c84cc...
2019-09-25 05:49:25,699 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) --> authenticate()
2019-09-25 05:49:25,699 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) try bearer
2019-09-25 05:49:25,699 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) try query paramter auth
2019-09-25 05:49:25,700 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) try basic auth
2019-09-25 05:49:25,700 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-7) NOT_ATTEMPTED: Treating as bearer only
2019-09-25 05:49:25,702 INFO [io.undertow.request.dump] (default task-7)
----------------------------REQUEST---------------------------
URI=/premiereclient/registerForCallbacks/9c84cc61-45df-4c9b-8687-3da7b5d35773
characterEncoding=null
contentLength=-1
contentType=null
cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX
header=Connection=upgrade
header=Sec-WebSocket-Version=13
header=Sec-WebSocket-Key=06K18ImuBoSwY85ku2AtMA==
header=Origin=https://ispace.space.smil
header=Upgrade=websocket
header=Cookie=$Version="1"
header=Cookie=JSESSIONID="hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX";$Path="/premiereclient";$Domain=".ispace.space.smil"
header=Cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX.db
header=Cookie=JSESSIONID="hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX";$Path="/premiereclient";$Domain=".ispace.space.smil"
header=Host=ispace.space.smil:8443
locale=[]
method=GET
protocol=HTTP/1.1
queryString=
remoteAddr=/172.22.1.138:2525
remoteHost=tlsdorl9166lg3.us.lmco.com
scheme=https
host=ispace.space.smil:8443
serverPort=8443
isSecure=true
--------------------------RESPONSE--------------------------
contentLength=-1
contentType=null
cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX.db; domain=null; path=/premiereclient
header=Connection=Upgrade
header=Set-Cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX.db; path=/premiereclient
header=Sec-WebSocket-Location=wss://ispace.space.smil:8443/premiereclient/registerForCallbacks/9c84cc61-45df-4c9b-8687-3da7b5d35773
header=Origin=https://ispace.space.smil
header=Upgrade=WebSocket
header=Sec-WebSocket-Accept=J5354J166p8qV08GoBhXAN6ZRjY=
header=Date=Wed, 25 Sep 2019 05:49:25 GMT
status=101
You can notice, the status is 101, so the upgrade succeeded, and all works fine, but once again, it is "disconcerting" that the adapters are doing anything at all, in an excluded URL.
I get the same logging if I do not exclude the paths, but then I get a 401 and the upgrade fails.
Please advise if you can give me something to try.
I would like to not have to exclude either of these resources, but unfortunately there is zero ability for me to integrate Web Start in any way that I can find, so I can only hope to fix the websocket resources.
Thanks
Gene
5 years, 3 months
