Re: [keycloak-user] Authentication throw a proxy on Undertow
by Davide Ungari
Hi Bill,
I see you have pushed some changes.
Tell me as soon as you need me to test it.
Thank you,
Davide.
> Weird... I'm actually screwing around with writing a security proxy
> right now. I just started like an hour or so ago so I'm not exactly
> sure...but I don't think you can implement this with the current
> codebase. You need a Undertow only (no servlet) authentication
> mechanism and to set up the security handler chain correctly. (See the
> BasicAuthServer example in Undertow).
> I should have something working in master by the end of the week.
> On 11/19/2014 6:33 PM, Davide Ungari wrote:
> >* Hi everybody,
> *>* this is the big picture:
> *>* a. frontend application with Undertow
> *>* b. backend application with Undertow and Resteasy for REST API
> *>
> >* Both are using Keycloak as SSO.
> *>
> >* I'm trying to configure a proxy from A to B in order to expose backend
> *>* API without CORS problems to the frontend.
> *>
> >* I asked support also to Undertow guys but the issue seems around the
> *>* integration of Keycloack in Undertow. My proxy is implemented like:
> *>
> >* final ProxyClient proxyClient = new
> *>* SimpleProxyClientProvider(new URI("http://localhost:8181 <http://localhost:8181/>
> *>* <http://localhost:8181/ <http://localhost:8181/>>"));
> *>* final ProxyHandler proxyHandler = new
> *>* ProxyHandler(proxyClient, servletHandler);
> *>* proxyHandler.addRequestHeader(new
> *>* HttpString("Authorization"), new ExchangeAttribute() {
> *>* @Override
> *>* public String readAttribute(HttpServerExchange
> *>* exchange) {
> *>* exchange.
> *>* RefreshableKeycloakSecurityContext context =
> *>* (RefreshableKeycloakSecurityContext) exchange.getSecurityContext();
> *>* return "Bearer " + context.getTokenString();
> *>* }
> *>
> >* @Override
> *>* public void writeAttribute(HttpServerExchange
> *>* exchange, String newValue) throws ReadOnlyAttributeException {
> *>* // TODO Auto-generated method stub
> *>* }
> *>* });
> *>
> >* The problem is that the exchange.getSecurityContext() is always null.
> *>* Any ideas?
> *>
> >* Thanks
> *>
> >
> >
> >* --
> *>* Davide
> *>
> >
> >* _______________________________________________
> *>* keycloak-user mailing list
> *>* keycloak-user at lists.jboss.org <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> *>* https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> *>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
8 years, 8 months
Questions about keycloak
by Ruben Lopez
Hi,
Our organization is currently evaluating the use of Keycloak and we have
some questions:
1 - Is there any way to obtain an access token for an OAuth Client via
Client Credentials[1]?
2 - If we make a request to an Application (Resource Server) with an access
token and this Application needs to talk to another protected Application
to form the response to the client, how does the first Application
authenticates to the second Application? Does Keycloak implements something
like Chain Grant Type Profile[2]?
Thanks in advance.
8 years, 9 months
REST services supporting basic auth and bearer tokens
by Gary Brown
Hi
Concrete use case - we have implemented the OASIS S-RAMP specification, in which it requires basic auth support (http://docs.oasis-open.org/s-ramp/s-ramp/v1.0/s-ramp-v1.0-part2-atom-bind... section 5 "The S-RAMP Specification does not attempt to define a security model for products that implement it. For the Atom Binding, the only security requirement is that at a minimum, client and server implementations MUST be capable of being configured to use HTTP Basic Authentication in conjunction with a connection made with TLS.").
However we also need the same service to support bearer token, for use within our KeyCloak SSO session.
I've implemented a possible solution, details defined on https://issues.jboss.org/browse/KEYCLOAK-861.
If this solution is on the right path, I would appreciate any feedback on any changes that might be required before submitting a PR. Currently there are no tests, but would aim to provide some with the PR.
Regards
Gary
8 years, 10 months
Internationalisation
by Alexander Chriztopher
Hi All,
Do you have any plans for Internationalisation in Keycloak ?
8 years, 10 months
Providers with CDI
by Alexander Chriztopher
Hi All,
I there a way to get providers to be managed by CDI.
The aim is to get access to services such as entity manager injection and
lifecycle management which would be done manually today.
Thanks for any help.
8 years, 10 months
Error on application log in
by Fabián Silva
I have a keycloak installed on wildfly standalone. I'm trying to deploy an
application, that use this keycloak, on a separate server with wilflly
running on domain mode. I tried first to deploy on a domain out of the box
on my local machine, setting the keycloak-wildfly-adapter-dist-1.0.4.Final.
It deploys fine and does the authentication without any issues. When I try
to migrate it to the server running my wilfly (also in domain mode and the
keycloak adapter set), it deploys fine and shows the keycloak login once
you enter the application. But the problem is that when you login it
displays a "403 - Forbidden" and on the log I'm seeing
ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6)
failed to turn code into token
ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6)
status from server: 404
The only difference between those two wildfly domain mode is that in the
local I don't have the the SSL/HTTPS enabled.
Have anyone seen this error? or have an idea of what this could be?
Regards
8 years, 10 months
Mobile Authentication API
by Rodrigo Sasaki
Hello,
I was wondering if there is a plan (or maybe something already built) for
native mobile authentication with Keycloak.
Right now we need to redirect the user to a web view so he can interface
with Keycloak to login, and from there on he can use the app normally, but
is there something native for this? We're trying to find ways to use the
smartphone's native authentication systems to login the users, and so far
we haven't been able to make it work.
Have you thought of something along those lines?
Thank you.
--
Rodrigo Sasaki
8 years, 10 months
Re: [keycloak-user] Brut force attack questions
by Alexander Chriztopher
Am to find a workaround in order to be able to unlock a user account. So
far i have tried to disable then enable the user account but this does not
do the trick apparently.
I have also tried to tweek the database but it looks like the lock
information is not stored in the db even though there is the table :
USERNAME_LOGIN_FAILURE. Is it normal that this table stays empty even on
login failures ?
Do you think of any other good workaround ?
On Tue, Nov 25, 2014 at 11:03 PM, Alexander Chriztopher <
alexander.chriztopher(a)gmail.com> wrote:
> Nice ! Again, thank you.
>
>
>
> > On 25 Nov 2014, at 21:39, Bill Burke <bburke(a)redhat.com> wrote:
> >
> >
> >
> >> On 11/25/2014 3:27 PM, Alexander Chriztopher wrote:
> >> Hi Bill and thanks.
> >>
> >> Do you think we will be able to have this within a short period of time
> (4-6 weeks) or is it going to be planned for the long run ?
> >
> > Not sure on the priority of this. We have face to face meetings in a
> couple of weeks to discuss priority, then of course, its christmas vacation.
> >
> >> When is the value of max wait used as there is already a wait increment
> out there ?
> >
> > Correct. It will increase the wait after each failure until the max is
> hit.
> >
> >>
> >>
> >>> On 25 Nov 2014, at 20:05, Bill Burke <bburke(a)redhat.com> wrote:
> >>>
> >>>
> >>>
> >>>> On 11/25/2014 12:32 PM, Alexander Chriztopher wrote:
> >>>> Hi,
> >>>>
> >>>> I have a some question with regards to Brut Force Attack Protection :
> >>>>
> >>>> # 1 / When brut force attack protection is enabled is there a way to
> >>>> know when a user account is locked ? I am thinking about the admin
> console.
> >>>>
> >>>> # 2 / When a user account is locked is there a way to unlock it from
> the
> >>>> admin console ?
> >>>
> >>> Unfortunately no for the above. I'll log a jira.
> >>>
> >>>> # 3 / What is the difference between wait increment (When failure
> >>>> threshold has been met, how much time should the user be locked out?)
> >>>> and max wait (Max time a user will be locked out.).
> >>>
> >>> correct on both.
> >>>
> >>>
> >>> --
> >>> Bill Burke
> >>> JBoss, a division of Red Hat
> >>> http://bill.burkecentral.com
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
>
8 years, 10 months
