cascaded microservice security
by Dirk Franssen
Hi,
as I didn't receive any feedback on this question yet, I will resend it
(perhaps due to pending subscription)
On Tue, Dec 8, 2015 at 12:09 PM, Dirk Franssen <dirk.franssen(a)gmail.com>
wrote:
> Hi,
>
> how would one configure Keycloak to obtain following scenario's?
>
> Scenario 1:
>
> client A: public (angular app)
> client B: bearer-only (microservice)
> client C: bearer-only (microservice)
>
> - microservice B is allowed to call microservice C, but an authenticated
> user in the js app A should be forbidden to call microservice C directly.
>
> Scenario 2:
>
> client A: public (angular app)
> client B: confidential (1 war with a REST service AND a JSF application,
> both using the same EJB business layer which is accessing microservice C)
> client C: bearer-only (microservice)
>
> - a user authenticated in the angular app can use the REST service of app
> B and will see the results of microservice C, but the user may not call
> microservice C directly
> - a user authenticated in the JSF application will see the results of
> microservice C when using the JSF application, but should not be able to
> use microservice C directly (if the user would reuse the same access_token)
> - should there be different roles for the REST part and the JSF part of
> app B (for accessing microservice C)?
>
> Kind regards,
> Dirk
>
8 years, 4 months
Spring Security adapter single logout
by Andy Yar
Hello,
I'm using 1.7.0 final integrated with Spring Security (which itself is
integrated into Grails) using OpenID Connect method. I've been kind of
stuck with single (back-channel, k_logout) logout for a while.
It seems it's handled by the preAuthActions filter which simply invalidates
local sessions via a call to an injected HttpSessionManager. This manager
stores active sessions in its instance and puts/removes them as a reaction
on HttpSessionEvent.
It looks like the HttpSessionManager has to be registered as JEE Listener
in order to receive HttpSessionEvents. However, then you end up with two
different instances - the listener and the bean in preAuthActions. Thus
invalidation process can't reach the sessions stored in listener's instance
and can't invalidate them at all.
A big sorry if I miss something very obvious.
Andy
8 years, 4 months
authentication provider and login override questions
by Johan Bos
Hi,
I can see KeyCloak allows to define authentications based on SAML protocol.
My requirements are:
a set of application/client secured by a KeyCloak server
role/group defined in Keycloak
user/pass synchro from ActiveDirectory (optional - surely some mapping
to retrieve some information)
We need keycloak and like it: for the user management and authentication
solution it provides to an application, in a simple way.
1) When an SSO is already in place.
As the apps we provide sometime, but not always is being integrated in a
customer env. that already using an SSO solution, I would like to know
if my understanding is right:
does the authentication module in keycloak where you can define an SAML
providers will delegate the SSO/login part to an external solution that
will handle for him the authentication?
Possible SSO is: "Ping", it says they are SAML compatible, does it means
I only need the SSO URL and logout URL to try it?
2) Since keycloak provides for SSO the login pages.
How do you integrate it with an application (angular/J2ee) that already
have its own? Without removing it.
Do you keep on basic J2EE setup so any client url would be secure, then
once authorized, the apps will continue to bring up its own login page?
Does it mean the app should have a filter to implies some auto-connect
so client side does not try to bring the login and instead consider the
user connected?
or does it mean using keycloak.js and follow some angular example where
upon loading we first make everything from the JS side and make no
change on the Java Apps?
3) I tried to override the login flow, to make my own authenticator. I
could see multiple way to do it. My requirement is to have a
supplementary field on the login page, because I need to authenticate
and validate my username/pass/repo to a REST API that must be access in
a secured way all the time, prior to give access to my clients/realm.
In order to make this, I ended up providing my own template (ftl) but
then I could no longer use the login.username in it since the
createResponse (normal cases) is the only one to take the formDatas and
load in attributes the LoginBean with it. I was using my-page.ftl so
could not use the createLogin, instead I was using createForm
So even when I set the attribute with "login" key based on the
loginBean, login.username was triggering an error.
forms.setAttribute("login", new LoginBean(formData));
So Whatever, I simply used "username" directly and it worked, but I
don't know to which extend nor why. I have some missing on freemarker
api and how you compiling it with POJO beans in a Map.
3bis) For my suppl. field, I need a dropdown box and freemarker would
need a collection to loop over. I though I would have to pass a list of
POJO (to create a dropbox) to the "attributes" that is being used to
compile my template. In my template, I used "#list", but I could not get
it to recognize my bean nor loop on it. It always consider it as not
present.
Here a sample of my authenticator that produce the new login form:
//repositories being a java.util.List<Repository> and Repository is a
POJO with name and description attribute (get method implemented)
//context being the AuthenticationFlowContext
I simply do:
LoginFormsProvider forms = context.form();
forms.setAttribute("repositories", repositories);
forms.setAttribute("repository", "<default_value>");
I do this before doing the forms.createForm("my-login.ftl")
Here what I added to the my-login.ftl which is the copy of login.ftl
with a new field,
//...I remove the label for the field, which work nice...
<#if repository??>
<select id="repository"
class="${properties.kcInputClass!}" name="repository" value="${repository}">
<#else>
<select id="repository"
class="${properties.kcInputClass!}" name="repository" autofocus>
</#if>
<#if repositories??>
<#list repositories as repo>
<#if repository?? && repository ==
repo.name>
<option value="${repo.name}"
selected="true">${repo.description}</option>
<#else>
<option
value="${repo.name}">${repo.description}</option>
</#if>
</#list>
<#else>
<option value="demo">demo</option>
</#if>
</select>
What Do I get wrong? I always have only the demo option.
--
Regards,
Johan Bos
8 years, 4 months
Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI ?
by Bill Burke
See Alan Field's response. He's being moderated and...I've forgotten
the moderator password. :)
On 12/14/2015 7:55 PM, Alan Field wrote:
> Hey Scott,
>
> ------------------------------------------------------------------------
>
> *From: *"Scott Rossillo" <srossillo(a)smartling.com>
> *To: *"Marek Posolda" <mposolda(a)redhat.com>, afield(a)redhat.com
> *Cc: *"keycloak-user" <keycloak-user(a)lists.jboss.org>, "Bill Burke"
> <bburke(a)redhat.com>
> *Sent: *Monday, December 14, 2015 6:31:30 PM
> *Subject: *Re: [keycloak-user] Replace use of Infinispan with User
> Session844129162306s SPI ?
>
> There are two issues:
>
> 1. Infinispan relies on JGroups, which is difficult to configure
> correctly with the various ping techniques that aren’t UDP
> multicast. I can elaborate on each one that we tested but it’s just
> generally complex to get right. That’s not to say it’s impossible or
> the biggest reason this is complicated on ECS or _insert container
> service here_, see #2 for that.
>
>
> The Infinispan server and JBoss EAP include a TCP-based stack in the
> configuration to run on EC2 that looks like this:
>
> <stack name="s3">
> <transport type="TCP" socket-binding="jgroups-tcp"/>
> <protocol type="S3_PING">
> <property name="location">${jgroups.s3.bucket:}</property>
> <property name="access_key">${jgroups.s3.access_key:}</property>
> <property
> name="secret_access_key">${jgroups.s3.secret_access_key:}</property>
> <property
> name="pre_signed_delete_url">${jgroups.s3.pre_signed_delete_url:}</property>
> <property
> name="pre_signed_put_url">${jgroups.s3.pre_signed_put_url:}</property>
> <property name="prefix">${jgroups.s3.prefix:}</property>
> </protocol>
> <protocol type="MERGE3"/>
> <protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
> <protocol type="FD_ALL"/>
> <protocol type="VERIFY_SUSPECT"/>
> <protocol type="pbcast.NAKACK2">
> <property name="use_mcast_xmit">false</property>
> </protocol>
> <protocol type="UNICAST3"/>
> <protocol type="pbcast.STABLE"/>
> <protocol type="pbcast.GMS"/>
> <protocol type="MFC"/>
> <protocol type="FRAG2"/>
> </stack>
>
>
> With this in the configuration file, you can start the server with the
> following system properties defined:
>
>
> bin/clustered.sh -Djboss.node.name=node0
> -Djboss.socket.binding.port-offset=0 -Djboss.default.jgroups.stack=s3
> -Djgroups.s3.bucket=<s3_bucket_name>
> -Djgroups.s3.access_key=<access_key>
> -Djgroups.s3.secret_access_key=<secret_access_key>
>
>
> This will cause the server to start and the nodes will write to a file
> in the S3 bucket to allow the nodes to discover each other. I do not see
> this stack defined in the configuration used by WildFly 9, but it should
> work there as well. It is also possible to use the JGroups Gossip Router
> for discovery, but it requires running a separate process that all of
> the nodes contact during the discovery phase.
>
>
>
> 2. It is difficult to do discovery correctly with JGroups and
> Docker. Non-privileged Docker instances - the default and recommend
> type - do not implicitly know their host’s IP. This causes IP
> mismatches between what JGroups thinks the machine’s IP is and what
> it actually is when connecting to hosts on different machines. This
> is the main issue and it’s not the fault of JGroups per se, but
> there’s no simple work around.
>
> Take for example a simple 2 node cluster:
>
> Node 1 comes up on the docker0 interface of host A with the IP
> address 172.16.0.4. The host A IP is 10.10.0.100.
> Node 2 comes up on the docker0 interface of host B with the IP
> address 172.16.0.8. The host B IP is 10.10.0.108.
>
> The 172.16 network is not routable between hosts (by design). Docker
> does port forwarding for ports we wish to expose to this works fine
> for HTTP/HTTPS but not the cluster traffic.
>
> So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2
> advertises 172.16.0.8. The two cannot talk to each other by default.
> However, using the hard coded IPs and TCP PING, we can
> set external_addr on Node 1 to 10.10.0.100 and external_addr on Node
> 2 to 10.10.0.108 and set initial_hosts to 10.10.0.100, 10.10.0.108.
> This will cause the nodes to discover each other. However, they will
> not form a cluster. The nodes will reject the handshake thinking
> they’re not actually 10.10.0.100 or 10.10.0.108 respectively.
>
> I’d like to discuss further and I can share where we’ve gotten so
> far with workarounds to this but it may be better to get into the
> weeds on another list.
>
> Let me know what you think.
>
> This issue is a little trickier, and I think we should probably move the
> discussion to the jgroups-users list which you can subscribe to here.
> [1] Bela Ban may have some ideas about how to set the binding address or
> interface to get around this. The Fabric8 project is also using a
> JGroups discovery protocol that relies on Kubernetes, but I don't think
> ECS uses Kubernetes.
>
> Thanks,
> Alan
>
> [1] https://lists.sourceforge.net/lists/listinfo/javagroups-users
>
>
> Best,
> Scott
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo(a)smartling.com <mailto:srossillo@smartling.com>
>
> Powered by Sigstr <http://www.sigstr.com/>
>
> On Dec 14, 2015, at 5:32 PM, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>> wrote:
>
> CCing Alan Field from RH Infinispan team and forwarding his
> question:
>
> I'd like to know which configuration files you are using and why is is
> harder to use with Amazon’s Docker service (ECS) or Beanstalk. I'd also be
> interested in how big a cluster you are using in AWS.
>
>
>
> On 14/12/15 22:24, Scott Rossillo wrote:
>
> AWS was why we didn’t use Infinispan to begin with. That
> and it’s even more complicated when you deploy using
> Amazon’s Docker service (ECS) or Beanstalk.
>
> It’s too bad Infinispan / JGroups are beasts when the out
> of the box configuration can’t be used. I’m planning to
> document this as we fix but I’d avoid S3_PING and use
> JDBC_PING. You already need JDBC for the Keycloak DB, unless
> you’re using Mongo and it’s easier to test locally.
>
> TCPPING will bite you on AWS if Amazon decides to replace
> one of your instances (which it does occasionally w/ECS or
> Beanstalk).
>
> Best,
> Scott
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo(a)smartling.com <mailto:srossillo@smartling.com>
>
> Powered by Sigstr <http://www.sigstr.com/>
>
> On Dec 14, 2015, at 10:59 AM, Marek Posolda
> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>
> On 14/12/15 16:55, Marek Posolda wrote:
>
> On 14/12/15 15:58, Bill Burke wrote:
>
> On 12/14/2015 5:01 AM, Niko Köbler wrote:
>
> Hi Marek,
>
> Am 14.12.2015 um 08:50 schrieb Marek
> Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>>:
>
> Btv. what's your motivation to not use
> infinispan? If you afraid of
> cluster communication, you don't need to
> worry much about it, because
> if you run single keycloak through
> standalone.xml, the infinispan
> automatically works in LOCAL mode and
> there is no any cluster
> communication at all.
>
> My current customer is running his apps in
> AWS. As known, multicast is
> not available in cloud infrastructures.
> Wildfly/Infinispan Cluster works
> pretty well with multicast w/o having to
> know too much about JGroups
> config. S3_PING seams to be a viable way to
> get a cluster running in AWS.
> But additionally, my customer doesn’t have
> any (deep) knowledge about
> JBoss infrastructures and so I’m looking for
> a way to be able to run
> Keycloak in a cluster in AWS without the
> need to build up deeper
> knowlegde of JGroups config, for example in
> getting rid of Infinispan.
> But I do understand all the concerns in
> doing this.
> I still have to test S3_PING, if it works as
> easy as multicast. If yes,
> we can use it, if no… I don’t know yet. But
> this gets offtopic for
> Keycloak mailinglist, it’s more related to
> pure Wildfly/Infinispan.
>
> seems to me it would be much easier to get
> Infinispan working on AWS
> than to write and maintain an entire new caching
> mechanism and hope we
> don't refactor the cache SPI.
>
>
> +1
>
> I am sure infinispan/JGroups has possibility to run
> in non-multicast
> environment. You may just need to figure how exactly
> to configure it. So
> I agree that this issue is more related to
> Wildfly/Infinispan itself
> than to Keycloak.
>
> You may need to use jgroups protocols like TCP
> instead of default UDP
> and maybe TCPPING (this requires to manually list
> all your cluster
> nodes. But still, it's much better option IMO than
> rewriting UserSession
> SPI)
>
> Btv. if TCPPING or S3_PING is an issue, there is also
> AWS_PING
> http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100
> , but it's
> not official part of jgroups.
>
> Marek
>
>
> Marek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 4 months
SAML requires reauthentication
by Ben Bazian
Scenario:
Use SP initiated URL (same if I use IDP initiated) to log into Salesforce. Open new tab and use same URL and instead of passing right through it once again prompts to authenticate through Keycloak. This behavior occurs even in the same tab. I would expect the behavior to be that as long as the browser is open it should not prompt for credentials.
Is there a setting somewhere that I missed?
8 years, 4 months
Cannot use Keycloak with Postgres DB
by Thomas Darimont
Starting the Keycloak Postgres HA Docker Image fails due to a problem with
loading OffilineUserSessions - see stacktrace below.
There is an already resolved?! issue
https://issues.jboss.org/browse/KEYCLOAK-1999 filed for Keycloak 1.6.0 that
shows some
workaround suggestions, but I think disabling the support for offline
sessions is not a fix to the actual problem...
Would be great to have a real fix, since this hinders the Keycloak Server
to start.
Just verified this with:
- jboss/keycloak-ha-postgres:latest
- jboss/keycloak-ha-postgres:1.7.0.Release
- jboss/keycloak-ha-postgres:1.6.1.Release
- jboss/keycloak-ha-postgres:1.6.0.Release
Steps to reproduce:
# Start Postgres Instance:
docker run --name kc-db -e POSTGRES_DATABASE=keycloak -e
POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -e
POSTGRES_ROOT_PASSWORD=password -p 25432:5432 -d postgres
# Start KC Server
docker run --name kc-server1 --link kc-db:postgres -e
POSTGRES_DATABASE=keycloak -e POSTGRES_USER=keycloak -e
POSTGRES_PASSWORD=password -p 8101:8080 jboss/keycloak-ha-postgres
#Exception during start:
...
10:33:54,461 INFO [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 62) WFLYCLINF0002: Started offlineSessions cache from
keycloak container
10:33:54,472 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 62) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./auth:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.NullPointerException
at
org.keycloak.models.sessions.infinispan.initializer.OfflineUserSessionLoader.init(OfflineUserSessionLoader.java:25)
at
org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer$1.run(InfinispanUserSessionInitializer.java:100)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:244)
at
org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.getOrCreateInitializerState(InfinispanUserSessionInitializer.java:97)
at
org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.startLoading(InfinispanUserSessionInitializer.java:148)
at
org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.loadPersistentSessions(InfinispanUserSessionInitializer.java:78)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$3.run(InfinispanUserSessionProviderFactory.java:111)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:244)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadPersistentSessions(InfinispanUserSessionProviderFactory.java:102)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$2.onEvent(InfinispanUserSessionProviderFactory.java:86)
at
org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:47)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:87)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
... 19 more
10:33:54,516 ERROR [org.jboss.as.controller.management-operation]
(Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
([("deployment" => "keycloak-server.war")]) -
8 years, 4 months
Error message display
by Frank van Veen
Hi,
I am trying to create and display my own error messages in keycloak. In this case an error occurred in an inherited method from the UserModelDelegate.
Currently the only error message I have been able to display is "Error! An unexpected server error has occurred". This isn't very helpful for our users.
This is a screenshot of a successful operation: https://i.imgur.com/z9dMvxG.png
This is a screenshot of a unsuccessful operation: https://i.imgur.com/LN89Qti.png
It would be nice if I could display "Error! The maximum length of Description is 20 characters".
Any help would be appreciated!
Sincerely,
Frank van Veen
8 years, 4 months
Relationship of Groups to Roles?
by Marc Boorshtein
I'm trying to wrap my head around the use cases where each would be
used. If I understand it correctly, a role a unit of authorization.
Roles can have entitlements, either defined by Keycloak or an
application. A role can have other roles as members. It can also
have groups and individual users. Groups aren't directly linked to
entitlements, but are instead used to simply create a way to create a
set of users (and groups). Is this an accurate representation?
I ask because I want to build some integrations between OpenUnison and
MyVirtualDirectory. Both work primarily on the LDAP concepts of
users, groups and users. Beyond SSO integration between OpenUnison
and Keycloak, I'm looking at creating a provisioning target so
OpenUnison workflows can provision access to Keycloak roles as well
as an insert for MyVirtualDirectory that can represent Keycloak roles
and users as LDAP Objects for legacy applications.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein(a)tremolosecurity.com
8 years, 4 months
Clarify "Create a new client" via Admin REST API
by Juraj Janosik
Hi,
I want to clarify the "Create a new client" via REST API
especially for body parameter "id" from "ClientRepresentation".
If I set the parameter "id" in the request body (see example below),
the value is set to the client. No new id value is generated for the
client, which is the typically behavior of "Create a new role for the realm
or client
<http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_role_for...>"
and "Create a new user
<http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_user>".
Is this a correct behavior?
Tested data example:
"Create Client":
"method":"POST","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients"
"body":
"{
"id":"3",
"clientId":"testclient-3",
"name": "testclient-3",
"description": "TESTCLIENT-3",
"enabled": true,
"redirectUris":[ "\\" ],
"publicClient": true
}"
"headers":
[["Content-Type","application/json"],
["Authorization","Bearer <ACCESS_TOKEN>]]
Output for GET clients looks like:
{
"*id": "3"*,
"clientId": "testclient-3",
"name": "testclient-3",
"description": "TESTCLIENT-3",
"surrogateAuthRequired": false,
"enabled": true,
"clientAuthenticatorType": "client-secret",
"redirectUris":
[
"\"
],
"webOrigins":
[
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"serviceAccountsEnabled": false,
"directGrantsOnly": false,
"publicClient": true,
"frontchannelLogout": false,
"attributes":
{
},
...
Thanks a lot.
Best Regards,
Juraj
8 years, 4 months
Is there any way to map thousands of id from IDP to several roles in brokering
by Mai Zi
Hi, there ,
Let me try to describe the case first.
We are using SAML 2.0 ID broker to authenticate the users. From the returned assertions, we can only get the user's ID number. So far as we know ,there will be thousands of users . In ID provider system,there is no role concept ,so not possible to return us the Role claim.
Now we want to assign roles to those users in keycloak . We made a rule .For example, if the ID number is less than 100, we assign Role A to this user.If ID number is between 101 and 1000, we assign Role B to it , and so on.
Of course We can do this manually one by one in admin console. but for thousands of users, it doesn't make much sense.
We notice there is a Mapper button when configuring the ID provider, is there any wayto achieve our goal with that mechanism?
Thanks a lot.
Mai
8 years, 4 months
