Re: [keycloak-user] Authentication throw a proxy on Undertow
by Davide Ungari
Hi Bill,
I see you have pushed some changes.
Tell me as soon as you need me to test it.
Thank you,
Davide.
> Weird... I'm actually screwing around with writing a security proxy
> right now. I just started like an hour or so ago so I'm not exactly
> sure...but I don't think you can implement this with the current
> codebase. You need a Undertow only (no servlet) authentication
> mechanism and to set up the security handler chain correctly. (See the
> BasicAuthServer example in Undertow).
> I should have something working in master by the end of the week.
> On 11/19/2014 6:33 PM, Davide Ungari wrote:
> >* Hi everybody,
> *>* this is the big picture:
> *>* a. frontend application with Undertow
> *>* b. backend application with Undertow and Resteasy for REST API
> *>
> >* Both are using Keycloak as SSO.
> *>
> >* I'm trying to configure a proxy from A to B in order to expose backend
> *>* API without CORS problems to the frontend.
> *>
> >* I asked support also to Undertow guys but the issue seems around the
> *>* integration of Keycloack in Undertow. My proxy is implemented like:
> *>
> >* final ProxyClient proxyClient = new
> *>* SimpleProxyClientProvider(new URI("http://localhost:8181 <http://localhost:8181/>
> *>* <http://localhost:8181/ <http://localhost:8181/>>"));
> *>* final ProxyHandler proxyHandler = new
> *>* ProxyHandler(proxyClient, servletHandler);
> *>* proxyHandler.addRequestHeader(new
> *>* HttpString("Authorization"), new ExchangeAttribute() {
> *>* @Override
> *>* public String readAttribute(HttpServerExchange
> *>* exchange) {
> *>* exchange.
> *>* RefreshableKeycloakSecurityContext context =
> *>* (RefreshableKeycloakSecurityContext) exchange.getSecurityContext();
> *>* return "Bearer " + context.getTokenString();
> *>* }
> *>
> >* @Override
> *>* public void writeAttribute(HttpServerExchange
> *>* exchange, String newValue) throws ReadOnlyAttributeException {
> *>* // TODO Auto-generated method stub
> *>* }
> *>* });
> *>
> >* The problem is that the exchange.getSecurityContext() is always null.
> *>* Any ideas?
> *>
> >* Thanks
> *>
> >
> >
> >* --
> *>* Davide
> *>
> >
> >* _______________________________________________
> *>* keycloak-user mailing list
> *>* keycloak-user at lists.jboss.org <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> *>* https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> *>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
10 years, 9 months
We're sorry ... Unknown code, please login again through your application.
by Alexander Chriztopher
Hi All,
Am having the following behaviour within keycloak :
# 1 / Open my application home page which brings me to the keycloak login
page;
# 2 / Click on Forgot Password then enter my login and validate. Keep this
page open in my browser -this page contains a link : back to login;
# 3 / Open the received mail and click on the link to reset password which
opens a new tab in my browser;
# 4 / Switch to the previous tab where i left the login page open and click
on the link back to login;
# 5 / A new page opens with the message : We're sorry ... Unknown code,
please login again through your application.
Could any one tell me why am getting this ?
Thanks for your help.
10 years, 10 months
Re: [keycloak-user] HTTP 403 Forbidden on Keycloak.getInstance
by Alexander Chriztopher
ok, i had to go to : User1 | ROLE MAPPING | APPLICATION ROLES | select the
application : realm-management | add the role : realm-admin to my user and
now it is working !
Questions :
# 1 / Why is the application : realm-management involved in this ? In the
example am using the application : examples-admin-client which is
completely different !
# 2 / When someone needs to administer a realm via the admin client which
client id do you recommend using ? do we have to create a new client id (i
mean application) or should we use some application created by default
within the realm such as : realm-management on or : security-admin-console ?
On Tue, Dec 30, 2014 at 6:08 PM, Alexander Chriztopher <
alexander.chriztopher(a)gmail.com> wrote:
> Yes that option was activated for the realm !!
>
> On Tue, Dec 30, 2014 at 1:31 PM, Stian Thorgersen <stian(a)redhat.com>
> wrote:
>
>> Did you enable 'Direct Grant API' for your realm? If not open the admin
>> console click on the realm -> settings -> login and toggle 'Direct Grant
>> API' to ON
>>
>> ----- Original Message -----
>> > From: "Alexander Chriztopher" <alexander.chriztopher(a)gmail.com>
>> > To: keycloak-user(a)lists.jboss.org
>> > Sent: Friday, 19 December, 2014 4:06:56 PM
>> > Subject: [keycloak-user] HTTP 403 Forbidden on Keycloak.getInstance
>> >
>> > Hi,
>> >
>> > I have a realm with an application called : examples-admin-client and
>> would
>> > like to use it to manage my realm but i get an error :
>> > javax.ws.rs.ClientErrorException: HTTP 403 Forbidden every time i make
>> the
>> > following call :
>> >
>> > Keycloak keycloak = Keycloak.getInstance(authServer, "realm-name",
>> "User1",
>> > "password", "examples-admin-client",
>> > "a5890cdf-e1df-40c0-9d50-26ad2f7badde");
>> >
>> > When i try to do the same thing with the example realm (i use the json
>> > example-realm.json provided by the keycloak project) this works nicely
>> > actually !
>> >
>> > Btw, i can successfully login with the user : User1 with that password.
>> >
>> > This is the json for my realm :
>> >
>> > {
>> > "realm": "realm-name",
>> > "realm-public-key":
>> >
>> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxwUIE6W3BZYlSxDPpwkknb2ObnrEsGMUJGy3HfNEfkfu9rcY5bxkllLsW32KlR78++xtuI11IE2nuh6nJmUsIKMb55Ez9n7/E9kPmSF6lxavZlQY0HfBnR3ZWgzsoUUz4n7pOhmqHIAGXeuxnMDQ5/upwcolFIZRor1v7oT/H8QIDAQAB",
>> > "auth-server-url": " http://localhost:8080/auth ",
>> > "ssl-required": "none",
>> > "resource": "examples-admin-client",
>> > "credentials": {
>> > "secret": "a5890cdf-e1df-40c0-9d50-26ad2f7badde"
>> > }
>> > }
>> >
>> > Thanks for any help on this one !
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
10 years, 10 months
HTTP 403 Forbidden on Keycloak.getInstance
by Alexander Chriztopher
Hi,
I have a realm with an application called : examples-admin-client
<http://localhost:8080/auth/admin/master/console/#/realms/cv/applications/...>
and
would like to use it to manage my realm but i get an error
: javax.ws.rs.ClientErrorException: HTTP 403 Forbidden every time i make
the following call :
Keycloak keycloak = Keycloak.getInstance(authServer, "realm-name", "User1",
"password", "examples-admin-client",
"a5890cdf-e1df-40c0-9d50-26ad2f7badde");
When i try to do the same thing with the example realm (i use the json
example-realm.json provided by the keycloak project) this works nicely
actually !
Btw, i can successfully login with the user : User1 with that password.
This is the json for my realm :
{
"realm": "realm-name",
"realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxwUIE6W3BZYlSxDPpwkknb2ObnrEsGMUJGy3HfNEfkfu9rcY5bxkllLsW32KlR78++xtuI11IE2nuh6nJmUsIKMb55Ez9n7/E9kPmSF6lxavZlQY0HfBnR3ZWgzsoUUz4n7pOhmqHIAGXeuxnMDQ5/upwcolFIZRor1v7oT/H8QIDAQAB",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "none",
"resource": "examples-admin-client",
"credentials": {
"secret": "a5890cdf-e1df-40c0-9d50-26ad2f7badde"
}
}
Thanks for any help on this one !
10 years, 10 months
Merry Christmas from the Keycloak team
by Stian Thorgersen
2014 was the year of Keycloak! At least that was the case for us on the Keycloak team. In January we released the very first alpha of the project. The first stable release wasn’t out until September, but in return we added a lot more features as well as reaching a very high level of stability for a 1.0.
Since then we’ve delivered a number of security and bug fixes for 1.0, while continuing to bake in new exiting features for 1.1. We’re planning to do a stable release of 1.1 early in the New Year, which will bring SAML 2, much improved clustering and a number of new application adapters.
Not only have we managed to provide a feature rich and easy to use open source security solution, but we’ve also managed to build an awesome community around the project. We’ve had over 5000 downloads, over 2500 commits from 32 contributors and our developer and user mailing lists are very active. Keycloak is already in use in production on a number of projects, in fact some has even used it in production since our first alpha release!
Our road-map for 2015 is not written in stone, but expect at least some of the following features to be delivered in 2015:
* Custom user profiles – this will let you configure the attributes for a user profile, which should be visible on the registration screen and account management, as well as specify validation
* Identity Brokering – we’re adding support to authenticate with external Identity Providers via OpenID Connect, SAML 2.0 and Kerberos
* Two-Factor Authentication – currently we only support Google Authenticator or FreeOTP applications for two-factor authentication, but we plan to make it possible to add your own and provide some more out of the box
* Client Accounts – these will be special user accounts directly linked to a client, allowing a client to access services as itself not just on-behalf of users
* Client Certificates – support authentication of clients with certificates
* Client Types – at the moment we have applications and oauth clients, the main difference being oauth clients require users to grant permissions to roles. To simplify the admin console we plan to introduce a single unified view for clients and also introduce new types such as devices
* Internationalization – internationalization support for login and account management pages
* SMS – enable SMS to recover passwords, as a 2nd factor authentication mechanism and to be notified about events like login failures
* OpenID Connect Dynamic Registration – allows clients to dynamically register with Keycloak. We’ll also look at passing the OpenID Connect Interop testing
* Mapping of users and tokens – custom mapping of user profiles from external identity stores and tokens from external Identity Providers
We also have ideas for some bigger features, but we’ll leave those as a surprise for 2015!
Finally, I’d like to wish everyone a Merry Christmas and a Happy New Year.
10 years, 10 months
How to add users in bulk
by Hubert Przybysz
Hi,
Is there an easy way of adding a large number users to a realm, where
usernames and initial passwords follow a certain pattern?
Best regards / Hubert.
10 years, 10 months
Is it possible to update users with the admin client
by Alexander Chriztopher
Hi,
I would like to use the admin client to update a user in order to force him
to change his password next time he logs in ?
So far i have failed miserably to do it so i was wondering if this is at
all possible ?
This is basically what am doing :
Keycloak keycloak = Keycloak.getInstance(authServer, "example",
"examples-admin-client", "password", "examples-admin-client", "password");
RealmResource realm = keycloak.realm("example");
UsersResource users = realm.users();
List<UserRepresentation> users_ = users.search("", 0, 1000000); //
This gets me all my users
for (UserRepresentation user_ : users_) {
if (user_.getUsername().equals("examples-admin-client")) {
user_.setEmailVerified(true);
}
}
RealmRepresentation realm_ = realm.toRepresentation();
realm_.setUsers(users_);
realm.update(realm_);
Does the method update of realm support users update ?
Thanks for any help on this.
10 years, 10 months
Undertow Bearer Token in Cookie
by Jérôme Blanchard
Hi all,
Is it possible to configure the servlet adapter to check presence of a
bearer token in a cookie instead of in a header ?
This question is about the download file usecase. If the bearer token will
be placed in a cookie by the javascript client at the same time settnig the
header, his will ensure that this cookie will be sent by the navigator in
the case of a download file or a <img> tag that would happen outside of a
XHR.
Thanks, Best Regards, Jérôme.
Le Wed Dec 17 2014 at 18:12:35, Jérôme Blanchard <jayblanc(a)gmail.com> a
écrit :
> Hi Stian,
>
> Thanks for your precisions, we have choose to implement the solution of a
> time based password.
> Using a ServletFilter and the Servlet 3.0 HttpRequest.login() feature
> we're able to intercept token from query parameter and propagate it to the
> JAAS stack. A dedicated LoginModule validate this token to enforce
> principal in the EJB SecurityContext and, according to this, our custom
> authorisation system is used ASIS without the need to create a hook in the
> download operation.
> This solution give the advantage to not interfer with the classic OAuth
> authentication in case of using a XHR Header nor a RESTClient that
> programmatically include the bearer token in the request header.
>
> Thanks a lot for your support, Best Regards, Jérôme.
>
>
>
> Le Wed Dec 17 2014 at 09:05:22, Stian Thorgersen <stian(a)redhat.com> a
> écrit :
>
>
>>
>> ----- Original Message -----
>> > From: "Jérôme Blanchard" <jayblanc(a)gmail.com>
>> > To: "Stian Thorgersen" <stian(a)redhat.com>
>> > Cc: keycloak-user(a)lists.jboss.org
>> > Sent: Tuesday, 16 December, 2014 5:51:37 PM
>> > Subject: Re: [keycloak-user] HTML5/JS and download URL.
>> >
>> > Hi,
>> >
>> > Thank you for your answer. Sorry for my lake of knowledge in OAuth but
>> > speaking about generating a temporary token to include in the link, what
>> > kind of token do you mean and what is the best way to do that with
>> Keycloak.
>>
>> We don't have any support for this at the moment so you would have to
>> make it yourself. With regards to token all I mean is a something temporary
>> that allows the server to verify the user has permissions to download the
>> file.
>>
>> For example the token could be the base64 encoded signature (hmac, rsa or
>> whatever you'd like) of userid, timestamp/expiration and file-url. That way
>> the server can simply verify the signature on the server-side when the user
>> is trying to download the file and check that it matches.
>>
>> >
>> > Best regards, Jérôme.
>> >
>> > 2014-12-15 16:49 GMT+01:00 Stian Thorgersen <stian(a)redhat.com>:
>> > >
>> > >
>> > >
>> > > ----- Original Message -----
>> > > > From: "Jérôme Blanchard" <jayblanc(a)gmail.com>
>> > > > To: keycloak-user(a)lists.jboss.org
>> > > > Sent: Monday, 15 December, 2014 3:13:06 PM
>> > > > Subject: [keycloak-user] HTML5/JS and download URL.
>> > > >
>> > > > Hi all,
>> > > > We have a use case where an HTML5/Angular application is calling a
>> REST
>> > > > interface using keycloak for authentication SSO. Everything works
>> fine
>> > > until
>> > > > we need to download files or preview images (using <img> tag). In
>> both
>> > > case,
>> > > > this is the browser which perform the request on the REST url and,
>> > > because
>> > > > of a specific XHR authentication putting the bearer token in the
>> > > headers, a
>> > > > 'classic' browser request for downloading a file result in an
>> > > > UNauthenticated request because of unexisting bearer token.
>> > > >
>> > > > We're minding if there is a best practice to handle this case. We
>> plan to
>> > > > include a dedicated token as a download request parameter and to
>> check
>> > > this
>> > > > particular query paramter programmatically in the /download JAX-RS
>> > > > operation. What kind of token should have to put in the query and is
>> > > there
>> > > > an already existing mechanism to catch such token in jax-rs
>> server-side
>> > > > operations nor programmatically ?
>> > >
>> > > We actually had the same issue in our admin console as we provide a
>> > > download option for the application config. AFAIK there's two
>> solutions:
>> > >
>> > > * Generate a temporary token - basically what you're suggesting.
>> There's
>> > > two ways you can do this, always generate one and add it to the link,
>> > > second is to use a redirect that only generates the token on demand
>> > > * Use XHR to get the file, which allows setting the Authorization
>> header,
>> > > then use JavaScript to download
>> > >
>> > > There's currently no direct support for this in Keycloak, but it
>> would be
>> > > interesting to add.
>> > >
>> > > >
>> > > > Thanks a lot for your support and so good work, Best Regards,
>> Jérôme.
>> > > >
>> > > > _______________________________________________
>> > > > keycloak-user mailing list
>> > > > keycloak-user(a)lists.jboss.org
>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> >
>>
>
10 years, 10 months
Best way to get subject without adding it as request parameter in cross domain back end REST service
by Dean Peterson
I am able to use a bearer token to call a java REST service from a pure
javascript client. Unfortunately the KeycloakSecurityContext is
essentially empty on the back end. I need to filter and update data by
subject (idToken.subject) Initially I setup my back end REST application
as a bearer token only application; thinking that was the problem, I
switched to a confidential back end application but the
KeycloakSecurityContext is still not populated. In order to communicate
with the service in a cross domain way, I still need to send a bearer
token, regardless of the type of application. I can get the subject in
javascript and add it to the list of request parameters, however, it seems
that leaves me open to anyone with a valid token being able to request
another user's data. What is the best way to handle this kind of situation
using Keycloak?
10 years, 10 months
