Keycloak User Registration Flow
by Malmi Samarasinghe
Hi All,
I am currently working on registering a user with user realm role and
client role assignment.
Steps followed
1/ create user (retrieve the user ID from Location header)
2/ get user details
3/ update password
4/ create realm role
5/ retrieve all realm roles and filter the ones which needs to be assigned
(since the assignment of roles requires the role ID)
6/ assign realm role
7/ same for the application roles as well, which also has multiple
iterations for each client
With all the API calls the user registration seems to have 8+ API calls and
I would like to know if there are any other alternatives/suggestions to get
the user registration flow working more efficiently.
Is there any plan to give a consolidated user registration API in the
future?
Regards,
8 years, 3 months
Application/Client specific "permission" resolution ability in keycloak
by Subhrajyoti Moitra
Hello,
Is there an ability in Keycloak to manage application/client "permissions",
similar to what Shiro has using WildCardPermissions.
http://shiro.apache.org/permissions.html
I understand that this is very domain and application specific, but is
there some generic way to manage these for specific Keycloak clients?
Currently trying to implement permissions for a couple of keycloak clients
in custom way; roles are stored in keycloak, the applications manages the
permission mapping with the specific roles.
Any pointers to the same would be very helpful.
Thanks and regards,
Subhro.
8 years, 3 months
Basic authentication - adapter not using backend-url for HttpPost?
by Guy Davis
Good day,
I'm working with Keycloak 1.7.0.Final (in it's own Wildfly) behind a
HAProxy instance. A REST service is deployed (as .war) on another server
(also behind HAProxy) in a JBoss EAP instance, protected using the Keycloak
adapter.
The deployment is protected as follows in standalone.xml of the JBoss
instance:
<secure-deployment name="mytest.war">
<realm>MyRealm</realm>
<resource>my-resource</resource>
<use-resource-role-mappings>true</use-resource-role-mappings>
<enable-basic-auth>true</enable-basic-auth>
<public-client>true</public-client>
<realm-public-key>MIIB...QAB</realm-public-key>
<auth-server-url>/auth</auth-server-url>
<auth-server-url-for-backend-requests>http://proxy:8080/auth
</auth-server-url-for-backend-requests>
<ssl-required>NONE</ssl-required>
<principal-attribute>preferred_username</principal-attribute>
</secure-deployment>
Here is relevant section of mytest.war's web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>All Admin</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>my-admins</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
<security-role>
<description>Admin access for admins.</description>
<role-name>my-admins</role-name>
</security-role>
Due to the use of the old JBoss EAP 6.1 server, I've had to add the
following to mytest.war's jboss-web.xml to support proxying, with proxy
headers added by HAProxy:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>keycloak-web</security-domain>
<context-root>mytest</context-root>
<valve>
<class-name>org.apache.catalina.valves.RemoteIpValve</class-name>
<param>
<param-name>protocolHeader</param-name>
<param-value>x-forwarded-proto</param-value>
</param>
</valve>
</jboss-web>
The hostname "proxy" is resolvable within the cluster behind HAProxy and
will result in direct access to the Keycloak instance. From outside the
cluster, all the services are mapped to the same HTTP namespace by
HAProxy. So an external request to http://[external_haproxy]/auth will be
proxied to Keycloak in the cluster. The 'my-resource' Keycloak client has
direct access grants enabled and is set to Public access.
In testing, where the entire cluster is launched in Vagrant running on
Windows, if I access http://localhost/mytest/api/... in a browser, I am
shown the Keycloak login and get the REST service result as expected. This
tells me that the majority of my configuration above is good.
However, if I use a client like curl or JMeter to send a similar HTTP
request with the Basic authentication header added:
Authorization: Basic YWRtaW46YWRtaW4=
Then the following is observed in the JBoss log from Keycloak adapter:
2016-01-04 20:03:49,295 DEBUG
[org.keycloak.adapters.BasicAuthRequestAuthenticator] (http-/0.0.0.0:8080-1)
Failed to obtain token: java.net.ConnectException: Connection refused
Upon debugging through the Keycloak adapter code to watch the basic
authentication process, I found myself
in BasicAuthRequestAuthenticator,getToken() where I find that
*deployment.getAuthServerBaseUrl()* == "http://localhost/auth" which is
not valid on the JBoss EAP system. This tells me that the external
hostname (Vagrant host) is being used to build the URI for contacting the
internal Keycloak host. In particular, the provided value for
<auth-server-url-for-backend-requests> is not being used. Since this Basic
Auth code uses this URI to issue a "backend" request, I would have expected
the <auth-server-url-for-backend-requests> value to be used.
So my question is whether I am missing a basic authentication specific
configuration step or whether I've encountered a defect in URI handling for
basic auth + backend requests. Interestingly, in the attached Eclipse
screenshot, the deployment object is aware of the http://proxy:8080 URI
backend but it is not being used for authServerBaseUrl.
Note, the scope of this problem is more than my Vagrant/localhost example.
I expect the same problem to manifest in our AWS test environment where
external hostnames don't resolve for cluster members identified by internal
hostnames only. I'm hoping to find a solution before this hits our test
environment.
Thanks in advance,
Guy
8 years, 3 months
Question about Realm and Client (Resource) Roles
by Giovanni Baruzzi
Dear All,
In the documentation I read about the Realm and Resource Roles
Under "2.2.1. Permission scopes³ you can read:
"The role mappings contained within the token are the intersection between
the set of user role mappings and the permission scope
of the client. So, access tokens are tailor made for each client and
contain only the information required for by them.³
Further, under "8.1. General Adapter Configuration³, you read
"use-resource-role-mappings³ If set to true, the adapter will look inside
the token for application level role mappings for the user.
If false, it will look at the realm level for user role mappings. This is
OPTIONAL. The default value is false
I would like to understand how to use it and how to configure it, but I
cannot find anything in the documentation nor in the tips of the Console.
Can anybody give me a pointer to more information?
Thank you,
Giovanni
8 years, 3 months
Clustering without the use of multicast
by Eugene Chow
Hi guys,
Is it possible for clustering to work without the use of multicast traffic? My provider blocks multicast traffic by default and refuses to budge.
Can I manually supply (the IP addresses of) all the nodes in the cluster to each Keycloak instance, so that they are aware of each other?
Thanks and happy new year to the Keycloak team!
8 years, 3 months
AdapterDeploymentContextBean no default constructor
by alex orl
I'm working on kyecloak 1.7.0 final.I'm trying to integrate a new spring secured web application with keycloak sso mechanism.Following the last guide reference, specifically the chapter 8.10 i wrote a keycloak-security-context.xml containing the specified configuration.When i deploy application i get this error:
Caused by: org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean]: No default constructor found; nested exception is java.lang.NoSuchMethodException: org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean.<init>()
Effectively AdapterDeploymentContextBean
https://github.com/keycloak/keycloak/blob/1.7.x/integration/spring-securi...
doesn't declare the default constructor.What am i missing?
8 years, 3 months
Is it mandatory for adapter version to be same as the keycloak version?
by Mai Zi
Hi, there, Suppose we have a wildfly app server with adapter 1.11 version, will talk to keyclok 1.7.0 final , is it possible ?
In other words, do we need to upgrade the adapter to 1.7.0 ?
If this case , our wildfly is 8.0, it is safe to use the latest 1.7.0 adapter?
TIA.
Mai
8 years, 3 months
Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish
by Mahantesh Prasad Katti
Thanks Johan for the info. I could not find any documentation for adapter for glassfish on the official links. https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html...
-Prasad
From: Johan B. [mailto:johan.bos@gmail.com]
Sent: Sunday, January 03, 2016 1:00 AM
To: Mahantesh Prasad Katti
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish
Hi
You are missing the adapter installation.
Each app server must have the adapter configured so the security ctx KEYCLOAK has some meaning to your app server.
See the documentation part about the adapter installation. Depending on the server type you have either lib only to provide to your server lib or some more configuration to do. For tomcat I only had to copy some jars
On the download section there is an adapter folder in which you will find an archive with the things to install on your server type.
Hope this help
Le samedi 2 janvier 2016, Mahantesh Prasad Katti <Mahantesh.Katti(a)indecomm.net<mailto:Mahantesh.Katti@indecomm.net>> a écrit :
Hi All,
I have some web application deployed in glassfish. And we are trying to implement SSO using keycloak. I wanted to understand if keycloak secures and provides sso support for applications deployed on glassfish or if it is applicable to applications deployed on jboss only? I tried to secure a glassfish web application using keycloak [specifying the keycloak pom dependanies, keycloak.json and related entries in web.xml]. but I could not see the direction happening to keycloak for authentication. Am I missing something here? Appreciate any pointers.
Regards
Prasad
8 years, 3 months
propagating authentication to REST layer
by Tim Dudgeon
The user docs
(http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.ht...)
describe exactly what I'm looking for:
> Signed access tokens can also be propagated by REST client requests
> within an|Authorization|header. This is great for distributed
> integration as applications can request a login from a client to
> obtain an access token, then invoke any aggregated REST invocations to
> other services using that access token.
I have a web app (in Tomcat) that uses the Keycloak adapter for user
authentication.
This web app needs to access a REST service, running in a different
Tomcat container and I want the REST service to use the same user
authentication, but I'm not totally sure about how to go about this.
Do I just grab the keycloak token in the header in the web app and add
that as a header when calling the REST service, and set the REST service
up to use the same Keycloak adapter configuration as the web app?
What if I want to have other ways to authenticate the REST service (e.g.
access from multiple clients)?
Tim
8 years, 3 months
Setting Password for Users.
by PAA KOJO KONDUAH AMOS
Hello.
I am using Keycloak admin client version 1.7.0. Final to create users from an external application. I am able to create Users (with user.setEnabled set to true)and set the password as well. However, when I try to login it fails.
Please can anyone show me a sample code for password reset?
This is what I have so far:
URL: http://localhost:8888/auth/admin/realms/crusadersterling/users/
public void resetPassword(String userId, String token) throws IOException, Failure {
CredentialRepresentation credential = new CredentialRepresentation();
credential.setType(CredentialRepresentation.PASSWORD);
credential.setValue("123456");
credential.setTemporary(true);
HttpClient client = HttpClientBuilder.create().build();
ObjectMapper mapper = new ObjectMapper();
String json = null;
try {
String usesUrl = PropertiesUtil.getValue("reset_password");
HttpPut put = new HttpPut(usesUrl + userId + "/reset-password");
put.addHeader("Authorization", "Bearer " + token);
put.setHeader("Content-Type", "application/json");
put.setHeader("Accept", "application/json");
json = mapper.writeValueAsString(credential);
StringEntity entity = new StringEntity(json);
put.setEntity(entity);
try {
HttpResponse response = client.execute(put);
if (!String.valueOf(response.getStatusLine().getStatusCode()).startsWith("20")) {
System.err.println(response.getStatusLine().getReasonPhrase());
throw new Failure(response.getStatusLine().getStatusCode());
}
} catch (IOException | Failure | IllegalStateException e) {
throw e;
}
} catch (IOException e) {
throw new RuntimeException(e);
} finally {
client.getConnectionManager().shutdown();
}
}
Sent from Mail for Windows 10
8 years, 3 months
