Hi Dmitry,
I set the realm in session to the issuer in the access token and then it works. Thanks!
Hope you had a pleasant Christmas and a good start in the new year. : )
Mit freundlichen Grüßen / With kind regards
David Herrmann
RD/UIA
Team Rising Stars
Daimler AG
HPC G464
70546 Stuttgart
Mobil: +49 176 309 369 87
What3Words Address:
entfalten.jüngste.nehmen
choppy.impact.moisture
E-Mail: david_christian.herrmann(a)daimler.com
Daimler AG
Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial
Register No. 19360
Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff
Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman),
Wolfgang Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Britta Seeger,
Hubertus Troska, Bodo Uebber
-----Ursprüngliche Nachricht-----
Von: Dmitry Telegin [mailto:dt@acutus.pro]
Gesendet: Donnerstag, 27. Dezember 2018 12:08
An: Herrmann, David Christian (059) <david_christian.herrmann(a)daimler.com>;
keycloak-user(a)lists.jboss.org
Cc: fabian.loewner(a)freiheit.com; Scheuermann, Marco (059)
<marco.scheuermann(a)daimler.com>
Betreff: Re: AW: [keycloak-user] Cross Realm authorization
Hello David,
Thanks a lot for your extensive research! Indeed, in recent Keycloak the internal
authentication logic has changed. Particularly, session.context.realm has to be set to
user's realm in order for authentication to succeed. As a consequence, custom REST
resources can no longer rely on session.getContext().getRealm() for realm resolution.
I've updated BeerCloak in GitHub, so please test it and let me know of the results. As
the next major update (hopefully January) I'm planning to make the code more aligned
to what we have in Keycloak (particularly org.keycloak.services.resources.admin.AdminRoot)
and maybe implement fine-grained permissions.
Merry Christmas and a Happy New Year to you and all the Keycloakers :)
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Wed, 2018-12-19 at 10:57 +0000, david_christian.herrmann(a)daimler.com wrote:
Hi Dmitry,
I setup remote debugging for Keycloak and had a look what happens in Keycloak 4.8.0
Final.
authenticateBearerToken(session, realm) (or to be more precise verifyIdentiyToken( ....))
returns null in my testing because:
- at
https://github.com/keycloak/keycloak/blob/master/services/src/main/jav
a/org/keycloak/services/managers/AuthenticationManager.java :1153
there is an exception in verifier(kid)
- this happens because in
https://github.com/keycloak/keycloak/blob/master/services/src/main/jav
a/org/keycloak/keys/DefaultKeyManager.java :106 the first part of the
if-statement in method getKey(RealmModel realm, String kid, KeyUse
use, String algorithm) does not become true
- I think this happens because here getKey(...) is called with
session.getContext().getRealm() --> The realm from the session --> The realm where
the requested resource is. But kid is taken from token which is created for the realm
where the technical user is.
- Call to getKey() is in
https://github.com/keycloak/keycloak/blob/master/services/src/main/jav
a/org/keycloak/crypto/ServerAsymmetricSignatureVerifierContext.java
:29
- kid is taken in
https://github.com/keycloak/keycloak/blob/master/services/src/main/jav
a/org/keycloak/services/managers/AuthenticationManager.java :1145-1150
I hope this information is useful for you.
Mit freundlichen Grüßen / With kind regards David HerrmannRD/UIA Team
Rising Stars Daimler AG HPC G464
70546 Stuttgart
Mobil: +49 176 309 369 87
What3Words Address:
entfalten.jüngste.nehmen
choppy.impact.moistureE-Mail: david_christian.herrmann(a)daimler.com
Daimler AG
Sitz und Registergericht / Domicile and Court of Registry: Stuttgart;
HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats
/ Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board
of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang
Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Britta
Seeger, Hubertus Troska, Bodo Uebber
-----Ursprüngliche Nachricht-----
> Von: keycloak-user-bounces(a)lists.jboss.org
> [mailto:keycloak-user-bounces@lists.jboss.org] Im Auftrag von
> david_christian.herrmann(a)daimler.com
Gesendet: Mittwoch, 19. Dezember 2018 08:24
> An: dt(a)acutus.pro; keycloak-user(a)lists.jboss.org
Betreff: Re: [keycloak-user] Cross Realm authorization
Hi Dmitry,
in the meanwhile I tested with Keycloak 3.4.3 Final. Here I do not have the problem with
the unauthorized.
Mit freundlichen Grüßen / With kind regards
David Herrmann
RD/UIA
Team Rising Stars
Daimler AG
HPC G464
70546 Stuttgart
Mobil: +49 176 309 369 87
What3Words Address:
entfalten.jüngste.nehmen
choppy.impact.moisture
E-Mail: david_christian.herrmann(a)daimler.com
Daimler AG
Sitz und Registergericht / Domicile and Court of Registry: Stuttgart;
HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats
/ Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board
of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang
Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Britta
Seeger, Hubertus Troska, Bodo Uebber
-----Ursprüngliche Nachricht-----
Von: Herrmann, David Christian (059)
Gesendet: Dienstag, 18. Dezember 2018 09:24
> An: 'Dmitry Telegin' <dt(a)acutus.pro>; keycloak-user(a)lists.jboss.org
Betreff: AW: AW: [keycloak-user] Cross Realm authorization
Hi Dmitry,
I used Keycloak 4.5.0.Final to test the implementation.
Mit freundlichen Grüßen / With kind regards
David Herrmann
RD/UIA
Team Rising Stars
Daimler AG
HPC G464
70546 Stuttgart
Mobil: +49 176 309 369 87
What3Words Address:
entfalten.jüngste.nehmen
choppy.impact.moisture
E-Mail: david_christian.herrmann(a)daimler.com
Daimler AG
Sitz und Registergericht / Domicile and Court of Registry: Stuttgart;
HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats
/ Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board
of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang
Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Britta
Seeger, Hubertus Troska, Bodo Uebber
-----Ursprüngliche Nachricht-----
> Von: Dmitry Telegin [mailto:dt@acutus.pro]
Gesendet: Dienstag, 18. Dezember 2018 02:10
An: Herrmann, David Christian (059)
<david_christian.herrmann(a)daimler.com>; keycloak-user(a)lists.jboss.org
Betreff: Re: AW: [keycloak-user] Cross Realm authorization
David,
Which version of Keycloak are you using?
The authorization subsystem undergoes changes from release to release, so I'm going
to double check the BeerCloak works with the recent Keycloak versions and update it if
necessary.
Cheers,
Dmitry
On Mon, 2018-12-17 at 13:09 +0000, david_christian.herrmann(a)daimler.com wrote:
> Hi Dmitry,
>
> I implemented it based on beercloak.
>
> Here in AbstractAdminRessource.java:
> AuthenticationManager.AuthResult authResult =
> authManager.authenticateBearerToken(session, realm);
>
> if (authResult == null) {
> throw new NotAuthorizedException("Bearer"); }
>
> Still results in Unauthorized.
>
> I tried it with an user in master realm, that has "view-users" for the
user realm and an admin user from the master realm. Both resulted in an 401 at the
mentioned code point.
>
> The realm is set to master realm and the session seems to be injected ... Any
ideas?
>
> Mit freundlichen Grüßen / With kind regards
>
> David Herrmann
> RD/UIA
> Team Rising Stars
>
>
> Daimler AG
> HPC G464
> 70546 Stuttgart
> Mobil: +49 176 309 369 87
>
> What3Words Address:
> entfalten.jüngste.nehmen
> choppy.impact.moisture
> E-Mail: david_christian.herrmann(a)daimler.com
>
>
> Daimler AG
> Sitz und Registergericht / Domicile and Court of Registry:
> Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des
> Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff
> Vorstand / Board of Management: Dieter Zetsche (Vorsitzender /
> Chairman), Wolfgang Bernhard, Renata Jungo Brüngger, Ola Källenius,
> Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber
>
>
> -----Ursprüngliche Nachricht-----
> > Von: keycloak-user-bounces(a)lists.jboss.org
> > > [mailto:keycloak-user-bounces@lists.jboss.org] Im Auftrag von
> > david_christian.herrmann(a)daimler.com
> Gesendet: Montag, 17. Dezember 2018 08:29
> > > An: dt(a)acutus.pro; keycloak-user(a)lists.jboss.org
> Betreff: Re: [keycloak-user] Cross Realm authorization
>
> Hi Dmitry,
>
> thanks for your answer and the link to your project! I will try this out.
>
> Mit freundlichen Grüßen / With kind regards
>
> David Herrmann
> RD/UIA
> Team Rising Stars
>
>
> Daimler AG
> HPC G464
> 70546 Stuttgart
> Mobil: +49 176 309 369 87
>
> What3Words Address:
> entfalten.jüngste.nehmen
> choppy.impact.moisture
> E-Mail: david_christian.herrmann(a)daimler.com
>
>
> Daimler AG
> Sitz und Registergericht / Domicile and Court of Registry:
> Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des
> Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff
> Vorstand / Board of Management: Dieter Zetsche (Vorsitzender /
> Chairman), Wolfgang Bernhard, Renata Jungo Brüngger, Ola Källenius,
> Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber
>
>
> -----Ursprüngliche Nachricht-----
> > > Von: Dmitry Telegin [mailto:dt@acutus.pro]
> Gesendet: Montag, 17. Dezember 2018 05:09
> An: Herrmann, David Christian (059)
> > <david_christian.herrmann(a)daimler.com>;
> > keycloak-user(a)lists.jboss.org
> Betreff: Re: [keycloak-user] Cross Realm authorization
>
> Hello David,
>
> Please take a look at how it is done in BeerCloak:
>
https://github.com/dteleguin/beercloak/tree/master/beercloak-module/
> sr
> c/main/java/beercloak/resources
>
> All the heavy lifting is done in AbstractAdminResource, and you can use it in your
project verbatim (you should only provide your own AdminAuth implementation). The whole
purpose of this is to allow master realm users to administer objects in non-master
realms.
>
> (Some musings: I dream of having AdminRealmResourceProvider with all
> that stuff OOTB; the idea has been around for years, but I'm afraid
> we won't have it in Keycloak anytime soon. Luckily, this can be done
> at a low price of introducing some boilerplate code into your
> project.)
>
> Good luck,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info(a)acutus.pro
>
> On Fri, 2018-12-14 at 07:32 +0000, david_christian.herrmann(a)daimler.com wrote:
> > Hello,
> >
> > we implemented a custom REST endpoint using RealmResourceProvider to search for
users by their attributes. We then secured the endpoint by using:
> >
> > AuthenticationManager.AuthResult authResult =
> > authManager.authenticateBearerToken(session);
> >
> > if (authResult == null) {
> > throw new NotAuthorizedException("Bearer token required"); }
> >
> > And
> >
> >
> > if(!auth.hasClientRole(client,"view-users")){
> > throw new NotAuthorizedException("Necessary permission not
> >available"); }
> >
> > We now have the problem, that we want to access the endpoint with technical
users which are in the master realm to separate them from the real end-users.
> >
> > So the technical users get their access token from the master realm (which
contains the necessary resource permissions for the user realm) and then access the
endpoint in the user realm.
> >
> > Here
> >
> > AuthenticationManager.AuthResult authResult =
> > authManager.authenticateBearerToken(session);
> >
> > if (authResult == null) {
> > throw new NotAuthorizedException("Bearer token required"); }
> >
> > Always results in unauthorized.
> >
> > Looking at the code and testing I think with authenticateBearerToken() cross
realm authentication is not possible. Correct? Do you have a suggestion how to achieve our
goal?
> >
> > Mit freundlichen Grüßen / With kind regards
> >
> >
> >
> > David Herrmann
> >
> > RD/UIA
> > Team Rising Stars
> > [Computergenerierter Alternativtext: RDIU]
> >
> > Daimler AG
> > HPC G464
> > 70546 Stuttgart
> > Mobil: +49 176 309 369 87
> >
> > What3Words Address:
> > ellbogen.sprüche.anfänge
> >
> > > E-Mail:
> > > > david_christian.herrmann@daimler.com<mailto:david_christian.he
> > > > rrma
> > > nn
> > > @daimler.com>
> >
> >
> > Daimler AG
> > Sitz und Registergericht / Domicile and Court of Registry:
> > Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender
> > des Aufsichtsrats / Chairman of the Supervisory Board: Manfred
> > Bischoff Vorstand / Board of Management: Dieter Zetsche
> > (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo
> > Brüngger, Ola Källenius, Wilfried Porth, Britta Seeger, Hubertus
> > Troska, Bodo Uebber
> >
> >
> > If you are not the addressee, please inform us immediately that you have
received this e-mail by mistake, and delete it. We thank you for your support.
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> If you are not the addressee, please inform us immediately that you have received
this e-mail by mistake, and delete it. We thank you for your support.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> If you are not the addressee, please inform us immediately that you have received
this e-mail by mistake, and delete it. We thank you for your support.
>
If you are not the addressee, please inform us immediately that you have received this
e-mail by mistake, and delete it. We thank you for your support.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
If you are not the addressee, please inform us immediately that you have received this
e-mail by mistake, and delete it. We thank you for your support.
If you are not the addressee, please inform us immediately that you have received this
e-mail by mistake, and delete it. We thank you for your support.