307 redirect issue + OAuth2/OpenID Connect possible vulnerability
by Gabriel Lavoie
Hi,
We currently have the following setup:
External service --- SAML --> Keycloak --- OpenID Connect --> External IdP
When a SP-initiated authentication request is being done to Keycloak by
posting a SAML assertion, Keycloak goes through a set of redirect to
authenticate the user to the external IdP through OpenID Connect first.
The redirects are currently being done using a 307 temporary redirect HTTP
code with a Location header. This makes the browser issue a POST request to
the external IdP with the SAML assertion which is basically could leak
informations.
While OpenID Connect allow 302, 303 and 307 as the HTTP code, using
anything else than 303 that would transform the request to a GET request
seems to be known as an attack vector on the protocol:
http://securityaffairs.co/wordpress/43518/digital-id/oauth-2-vulnerabilit...
Is there a way to change the HTTP code that is used by Keycloak to issue
temporary redirections?
Thanks,
Gabriel
--
Gabriel Lavoie
glavoie(a)gmail.com
6 years, 5 months
Application to Application OAuth using KeyCloak Clients
by Raja Sekhar
I have a REST Service and multiple REST Clients. There is no user interaction involved in this case, communication is APP to APP. I need to use Java Servlet Filter Adapter as there is no Adapter for WebLogic. Please help me setting up my REST Service Keycloak client and my REST Client Keycloak Clients.
I used OpenID Bearer-Only KeyCloak client on my Service side and OpenID Confidential KeyCloak Client on my Client side. Using a user credentials and OpenID Confidential KeyCloak Client secret I am able generate an access token and able to make calls to my secured Service. (Service is configured with OpenID Bearer-Only KeyCloak client). Any user with or with out a role assigned to them can generate the access token using the OpenID confidential KeyCloak client and able to make calls to my secured service. (How to configure bearer-only KeyCloak client to filter or accept certain users who are using OpenID confidential KeyCloak clients) Thanks and Regards
Raja Konkala
6 years, 5 months
how to use spring boot adapterq
by Patrick Boe
Hello,
I'm trying to understand how to use the spring boot adapter for keycloak. As a test case, I'm attempting to use it from one of the spring boot quickstart projects. Please see the following question:
http://stackoverflow.com/questions/39794779/how-do-i-configure-the-spring...
Full text:
0down votefavorite<http://stackoverflow.com/questions/39794779/how-do-i-configure-the-spring...>
I am trying to set up a basic example spring boot site which uses keycloak for security. I have done the following
* cloned and ran (gradlew bootRun) the 'complete' example fromhttps://spring.io/guides/gs/serving-web-content/ (https://github.com/spring-guides/gs-serving-web-content.git) to verify that it works
* added the following to the project's gradle dependencies:
compile("org.keycloak:keycloak-spring-boot-adapter:2.2.1.Final")
compile("org.keycloak:keycloak-tomcat8-adapter:2.2.1.Final")
* put the following in config/application.yml:
spring:
profiles: default
server.port: 8090
keycloak:
securityConstraints:
- securityCollections:
- name: application section
authRoles:
- user
patterns:
- /
realm: stl
realmKey: MIIBIjANBgkqh[etc...]?
auth-server-url: http://localhost:8280/auth
ssl-required: none
resource: example-ui
credentials:
secret: a117[etc...]
With these steps, I believe I've followed all the directions in https://keycloak.gitbooks.io/securing-client-applications-guide/content/v.... But now when I attempt to browse to the application, I get an error. This is what's logged to the console: No login page was defined for FORM authentication in context []
What am I missing to complete configuration of this app? From prior experience with earlier versions of other keycloak adapters, I would expect to have to specify an auth method of KEYCLOAKsomewhere, but I don't know where that would go in spring boot, if indeed it goes anywhere.
________________________________
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
6 years, 5 months
Create user in one realm, delete it from different one
by Bystrik Horvath
Dear members,
I currently use Keycloak 1.9.3 and came to very strange behavior. My case
is following:
1.) authenticate to realm1 using a client with service account
2.) create an user in realm1
3.) retrieve the created user to get its UID
4.) authenticate to realm2 using the same client and same service account
5.) delete the user in realm2 using the mentioned UID without error
Analyzing the code I found that the class UserCacheSession does not check
in this case the realm in the method getUserById(String id, RealmModel
realm). When I restart Keycloak after step 3 and execute the steps 4 and 5
afterwards, the case finishes with error (which I found ok).
Is my case somehow wrong or could it be a real issue?
Best regards,
Bystrik
6 years, 5 months
multiple redirects after authentication
by Pulkit Gupta
Hi All,
I am facing a problem with my keycloak integration.
When I enter the URL of my application it gets redirected to the keycloak
server.
After I enter the credentials the server redirects back to my application
URL.
Till now things look ok. Once authentication is successful weird thing
starts.
Keycloak server redirects back to my application.
My application again redirects to the keycloak server which without showing
the login page again redirects to my application. This happens once or
twice after which finally my application page loads. In this process, I can
see multiple SAML XMLs being exchanged.
Environment and setup Details
SP EntityID : /wapps/distributors
Page I am visiting directly : https://www.xxxx.com/wapps/
distributors/protected/nachannelsearch.html
Server : 2 Jboss 6 servers running behind a LB
Please let me know in case this is something related to configuration or
might be some issue related to proxies or load balancers in my environment.
--
Thanks,
Pulkit
AMS
6 years, 5 months
SAML attribute importer with multiple values
by Manuel Palacio
Hello,
I am trying to process a SAML attribute with multiple values.
To that end I have created a client mapper of type User Attribute with
"Multivalued" on.
I also have an "attribute importer" mapper in the SAML v2.0 identity
provider. It points to user attribute name defined in the client mapper
mentioned above.
Unfortunately, it is only mapping the first value into the access token.
The attribute in the SAML response looks like this
<Attribute Name="http://cambio.se/2016-09/cds/profile"> <AttributeValue>
value1</AttributeValue> <AttributeValue>value2</AttributeValue> <
AttributeValue>value3</AttributeValue> </Attribute>
In the access token only the first value appears as part of "otherClaims"
map.
What do I need to do in order to get all the values in the access token?
Thanks
/Manuel
6 years, 5 months
Can't get adapter subsystem config to work in KC2.2.1 - keycloak.json works
by Chris S. Dollar
Hi All,
I'm working with some POC code based on this blog post: http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html
Up till now I've been using WF10 Final and KC 2.0.0 Final, and everything has been going fine. I could configure the security of my .war (which is packaged in an .ear) via the per-war keycloak.json method or via the adapter subsystem method and both worked.
Today I started on migrating our POC to WF 10.1 Final and KC 2.2.1 Final. With this new combo I'm not having any problems configuring war security using keycloak.json - that seems to work fine, but I can't seem to get the adapter subsystem method working. Using the adapter subsystem it appears that KC isn't trying to authenticate my app as I'm prompted for basic auth credentials. Enabling trace logging for KC and org.jboss.security didn't give any clues.
Are there any changes known issues with the adapter config method with KC 2.2.1? And/or is there anyone using that system successfully in their configuration?
Also, as I was investigating this I noticed (what I think is) an inconsistency in the docs. The java adapters config page shows the config option "credentials" and shows how to use it in the keycloak.json file. https://keycloak.gitbooks.io/securing-client-applications-guide/content/v... However, on the page for JBoss/EAP/WF adapters it references the option as "credenial" without the trailing "s", and the examples shown there also do not have the trailing s character. https://keycloak.gitbooks.io/securing-client-applications-guide/content/v... Should that value be different in each case as the docs seem to indicate? The adapters config page also states that that value is required, but as best I can tell it isn't… And I'm 99% sure that the 'credential' deal isn't my real issue here, but I thought I'd point it out in case the docs are incorrect.
Any suggestions would be appreciated! Thanks!
Chris
6 years, 5 months
Logging from execute-action-email?
by Andy Yar
Hello,
I'm trying to debug sending of email notifications in my standalone
installation of Keycloak 2.2.1.Final.
When I manually trigger a notification in Admin Console it spits out an
alert message: "*Error!* Failed to send email to user". However, my
standalone/log/server.log is empty - no ERROR, stacktrace, nothing...
Where is the proper place to turn on logging of these exceptions?
Thanks
6 years, 5 months
deployed provider + EJB = infinispan lock timeout
by Harold Campbell
I'm trying to implement a user storage provider following the user-
storage-jpa example project as a guide. My problem is that I can only
try to authenticate once. Subsequent attempts fail with the exception
below.
It seems to be related to the provider being a Stateful EJB.
I have an older style federation provider, which uses jdbc directly,
which I converted from a wildfly module to a deployed jar. It works
just fine until I turn it into a Stateful EJB. It then fails the same
as the user storage provider.
I can't see anything I'm doing significantly different from the example
project.
Can anyone help?
I'm using KC 2.2.1.Final
2016-10-05 00:35:56,645 ERROR [io.undertow.request] (default task-69) UT005023: Exception handling request to /auth/realms/envestnet-ops/protocol/openid-connect/token: org.jboss.resteasy.spi.UnhandledException: org.infinispan.util.concurrent.TimeoutException: ISPN000299: Unable to acquire lock after 10 seconds for key envestnet-ops.username.winthorpe and requestor GlobalTransaction:<null>:120:local. Lock is held by GlobalTransaction:<null>:108:local
at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.infinispan.util.concurrent.TimeoutException: ISPN000299: Unable to acquire lock after 10 seconds for key myprovider.username.myuser and requestor GlobalTransaction:<null>:120:local. Lock is held by GlobalTransaction:<null>:108:local
at org.infinispan.util.concurrent.locks.impl.DefaultLockManager$KeyAwareExtendedLockPromise.lock(DefaultLockManager.java:236)
at org.infinispan.interceptors.locking.AbstractLockingInterceptor.lockAndRecord(AbstractLockingInterceptor.java:190)
at org.infinispan.interceptors.locking.AbstractTxLockingInterceptor.checkPendingAndLockKey(AbstractTxLockingInterceptor.java:192)
at org.infinispan.interceptors.locking.AbstractTxLockingInterceptor.lockOrRegisterBackupLock(AbstractTxLockingInterceptor.java:113)
at org.infinispan.interceptors.locking.PessimisticLockingInterceptor.visitDataWriteCommand(PessimisticLockingInterceptor.java:121)
at org.infinispan.interceptors.locking.AbstractTxLockingInterceptor.visitPutKeyValueCommand(AbstractTxLockingInterceptor.java:62)
at org.infinispan.commands.write.PutKeyValueCommand.acceptVisitor(PutKeyValueCommand.java:74)
at org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:99)
at org.infinispan.interceptors.TxInterceptor.enlistWriteAndInvokeNext(TxInterceptor.java:366)
at org.infinispan.interceptors.TxInterceptor.visitPutKeyValueCommand(TxInterceptor.java:220)
at org.infinispan.commands.write.PutKeyValueCommand.acceptVisitor(PutKeyValueCommand.java:74)
at org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:99)
at org.infinispan.interceptors.CacheMgmtInterceptor.updateStoreStatistics(CacheMgmtInterceptor.java:191)
at org.infinispan.interceptors.CacheMgmtInterceptor.visitPutKeyValueCommand(CacheMgmtInterceptor.java:177)
at org.infinispan.commands.write.PutKeyValueCommand.acceptVisitor(PutKeyValueCommand.java:74)
at org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:99)
at org.infinispan.interceptors.InvocationContextInterceptor.handleAll(InvocationContextInterceptor.java:107)
at org.infinispan.interceptors.InvocationContextInterceptor.handleDefault(InvocationContextInterceptor.java:76)
at org.infinispan.commands.AbstractVisitor.visitPutKeyValueCommand(AbstractVisitor.java:43)
at org.infinispan.commands.write.PutKeyValueCommand.acceptVisitor(PutKeyValueCommand.java:74)
at org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:99)
at org.infinispan.interceptors.BatchingInterceptor.handleDefault(BatchingInterceptor.java:66)
at org.infinispan.commands.AbstractVisitor.visitPutKeyValueCommand(AbstractVisitor.java:43)
at org.infinispan.commands.write.PutKeyValueCommand.acceptVisitor(PutKeyValueCommand.java:74)
at org.infinispan.interceptors.InterceptorChain.invoke(InterceptorChain.java:336)
at org.infinispan.cache.impl.CacheImpl.executeCommandAndCommitIfNeeded(CacheImpl.java:1672)
at org.infinispan.cache.impl.CacheImpl.putInternal(CacheImpl.java:1121)
at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1111)
at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1742)
at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:248)
at org.infinispan.cache.impl.AbstractDelegatingCache.put(AbstractDelegatingCache.java:291)
at org.keycloak.models.cache.infinispan.CacheManager.addRevisioned(CacheManager.java:137)
at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByUsername(UserCacheSession.java:232)
at org.keycloak.models.UserFederationManager.getUserByUsername(UserFederationManager.java:266)
at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:281)
at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:64)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:394)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:128)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
--
Harold Campbell <hcamp(a)muerte.net>
Ever notice that the word "therapist" breaks down into "the rapist"?
Simple coincidence?
Maybe...
6 years, 5 months
