Managing the attack surface of Keycloak
by John D. Ament
Hey,
So, a very high level question, and any insight you guys may have would
help.
We're looking to potentially deploy keycloak as a part of a public cloud
application to support authentication to our applications based on security
settings our tenants may use, which may include talking back to their
internal LDAPs, our LDAP, our database, or their hosted SAML solutions.
We're not looking to expose this UI to them, so they would never need to
login other than visiting the login page to access our applications. Are
there any mitigation strategies for reducing the attack surface of
keycloak? I saw that you had brute force detection available, in addition
to using public/private key pairs to do API authentication. I'm wondering
if there's any more security levels that could be leveraged? Does reducing
the amount of API endpoints accessible publically make sense in this
scenario? If so, what endpoints would need to be there to support
authentication?
John
9 years, 11 months
Is it possible to partial import an User Federation provider?
by Vincent Sluijter
Hello,
I'm trying to 'partial' import a json with an User Federation provider containing ldap configuration to connect to Active Directory, but the import keeps failing with the message "No resouces specified to import". Is it even possible to import a single user federation provider using the partial import function?
This message is subject to the following E-mail Disclaimer. (http://www.crv4all.com/disclaimer-email/) CRV Holding B.V. seats according to the articles of association in Arnhem, Dutch trade number 09125050.
9 years, 11 months
SAML Setup
by Marque Davis
Hi,
I’m working on moving SAML auth in one app into Keycloak. Since we have many clients hitting our existing API, we don’t want to change the external API. Instead we need to proxy through to Keycloak. I have a SAML test harness that generates the SAML doc and redirects to KC, but I constantly get a staleCodeError int he logs and the following error on the page it redirects to.
WE'RE SORRY ...
This page is no longer valid, please go back to your application and login again
I’ve setup an Identity Provider named “saml” and pointed my test app to the Redirect URI (http://192.168.99.100:10080/auth/realms/demo/broker/saml/endpoint). Config screenshot attached (if it isn’t stripped from email)
Am I doing something wrong, or is this just not a use case Keycloak is designed for?
[cid:7826F03C-D253-46FA-904F-ADC09DFAA111]
9 years, 11 months
Email Html template does not work... I guess
by Beljaev Aleksandr
Hello everyone.
I'm trying to send html-emails from keycloak administration console to some user, but this user gets only plain text messages.
As I see in sources, keycloak can work with html, but I don't know how to switch on this option.
Even if I'm trying to write html in text template, messages are still only text, but with html-tags.
Example for executeActions:
Template html:
<html>
<body>
${msg("executeActionsBodyHtml",link,linkExpiration,realmName)}
</body>
</html>
Template text:
<html>
<body>
<p>${msg("executeActionsBody",link,linkExpiration,realmName)}</p>
</body>
</html>
Template message:
executeActionsBody=PlainTextMessage
executeActionsBodyHtml=<p>HtmlTextMessage</p>
Recived email:
<html>
<body>
<p> PlainTextMessage </p>
</body>
</html>
What am I doing wrong?
How could I configure KeyCloak to send html messages with template from themes/{theme name}/email/html?
Aleksandr Belyaev,
QA engeneer,
Center of Financial Technologies,
e-mail: A.Beljaev(a)ftc.ru<mailto:A.Beljaev@ftc.ru>
http://www.cft.ru<http://www.cft.ru/>
[cid:InlineMailImage_6944a6d1aaad40e886cadb18d509edf8.gif]
9 years, 11 months
Absolute links in admin pages
by Pål Oliver Kristiansen
Hi!
We are trying to install Keycloak on a server behind a BigIP SSL
terminator. Keycloak is running within a Docker container on a different
server.
But trying to open the Administration Console fails because all the links
within the markup are absolute links which is resolved to
http://localhost:9555/auth/...
So both the scheme and the hostname is wrong.
Questions:
Why are these links absolute? Is there a way to configure this to be
relative links?
Or, if they must be absolute, is there a way to configure the links to
become correct?
>From what I can gather, this is the line where the absolute link is
resolved:
https://github.com/keycloak/keycloak/blob/5c98b8c6ae7052b2d906156d8fc212c...
Thanks!
9 years, 11 months
Apache or other webserver adapter
by Okie Oth
Hello,
I wonder if there is a way to protected static webserver ressources with
keycloak. I have a Apache Adapter in mind but I can't find anything
about this topic.
Kind regards
Eiko
9 years, 11 months
SSO between apps with different protocol
by Rafael T. C. Soares
Hi!
I have one common realm (eg: demo-realm) with two client apps under it:
- 1st app using SAML protocol - hosted in app srv 1 (tomcat)
- 2nd app using Keycloak default OpenID Connect - hosted in app srv 2
(JBoss EAP)
What I need to do in order to enable SSO between these both apps?
I tried log in in the 1st one and them tried to access the 2nd one, but
the SSO does not works :-/
--
___
Rafael T. C. Soares
9 years, 11 months
(no subject)
by Gareth Healy
I am trying to secure a URL with KeyCloak, backed by Kerberos. I've
followed the below link, but sadly not not seeing what i would expect.
-
https://github.com/keycloak/keycloak-documentation/blob/master/topics/jbo...
The exploded war web.xml contains:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<listener>
<listener-class>io.apiman.gateway.platforms.war.listeners.WarGatewayBootstrapper</listener-class>
</listener>
<!-- Gateway Servlet -->
<servlet>
<servlet-name>GatewayServlet</servlet-name>
<servlet-class>io.apiman.gateway.platforms.war.servlets.WarGatewayServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>GatewayServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>apiman-gateway</web-resource-name>
<url-pattern>/apiman-gateway/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
And the keycloak.json file in the WEB-INF folder contains:
{
"realm": "apiman",
"realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyG61ohrfJQKNmDA/ePZtqZVpPXjwn3k3T+iWiTvMsxW2+WlnqIEmL5qZ09DMhBH9r50WZRO2gVoCb657Er9x0vfD6GNf/47XU2y33TX8axhP+hSwkv/VViaDlu4jQrfgPWz/FXMjWIZxg1xQS+nOBF2ScCRYWNQ/ZnUNnvrq8dGC2/AlyeYcgDUOdwlJuvgkGlF0QoVPQiRPurR3RwlG+BjL8JB3hbaAZhdJqwqApmGQbcpgLj2tODnlrZnEAp5cPPU/lgqCE1OOp78BAEiE91ZLPl/+D8qDHk+Maz0Io3bkeRZMXPpvtbL3qN+3GlF8Yz264HDSsTNrH+nd19tFQIDAQAB",
"auth-server-url": "https://reuxgbls359:8443/auth",
"ssl-required": "none",
"resource": "apiman-gateway",
"public-client": true
}
When i hit the URL, i see the below debug:
2016-06-02 13:20:10,460 DEBUG [org.keycloak.adapters.PreAuthActionsHandler]
(default task-43) adminRequest
https://reuxgbls359:8443/apiman-gateway/bp/mapping/1.0?wsdl
2016-06-02 13:20:10,461 DEBUG
[org.keycloak.adapters.undertow.ServletSessionTokenStore] (default task-43)
session was null, returning null
2016-06-02 13:20:10,461 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-43) there
was no code
2016-06-02 13:20:10,461 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-43)
redirecting to auth server
2016-06-02 13:20:10,462 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-43)
callback uri: https://reuxgbls359:8443/apiman-gateway/bp/mapping/1.0?wsdl
2016-06-02 13:20:10,463 DEBUG
[org.keycloak.adapters.AuthenticatedActionsHandler] (default task-43)
AuthenticatedActionsValve.invoke
https://reuxgbls359:8443/apiman-gateway/bp/mapping/1.0?wsdl
But i never get redirected to the auth/login page.
Any ideas what i am doing wrong?
--
Gareth Healy
UKI Middleware Consultant
Red Hat UK Ltd
200 Fowler Avenue
Farnborough, Hants
GU14 7JP, UK
Mobile: +44(0)7818511214
E-Mail: gahealy(a)redhat.com
Registered in England and Wales under Company Registration No. 03798903
9 years, 11 months
Re: [keycloak-user] Keycloak integration with REST service
by Jim Dillon
It looks like a custom User Federation Provider in needs to be created in
order to access a REST Service for user information and an Authentication
Provider to authenticate against a REST Service.
I've looked at the example User Federation Provider that uses a static file
and the Authentication Provider examples which enforce secret question /
answer flow. I have a better understanding of what needs to be
accomplished, but I'm still quite a ways from where I need to be.
Can anyone point me in the direction of an example User Federation Provider
and / or an Authentication Provider that uses a REST Service? (Google
hasn't found any examples for me.)
Is there more documentation to be found on these subjects other than the
inline code comments, User Manual, and github based docs?
Could I possibly be making it more difficult than it is, do I simply need
to substitute http requests for file i/o in the User Federation Provider
example?
The Flow (as I understand it, please confirm / correct as needed):
1. User lands on Keycloak login page and initiates login
2. User does not exist in Keycloak
3. REST API is asked to authenticate via Authentication Provider SPI
4. User is authenticated
5. REST API is asked for user information to create user in Keycloak
(part of this process would need to decrypt the existing password and then
encrypt it using Keycloak's "default" method.)
6. User is created in Keycloak and any further authentication /
authorization logic will remain "in house"
Thank you for your time,
jim
9 years, 11 months
Re: [keycloak-user] KC 1.9.4 Error during
by Marek Posolda
Does your keycloak server have certificate signed by known CA authority
or are you using some self-signed? If you have self-signed, you also
need to configure truststore. See
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#a...
and especially properties related to truststore.
Marek
On 31/05/16 15:00, Emil Posmyk wrote:
> sorry, i forgot to finish title
>
> {
> "realm": "Brandpath",
> "realm-public-key": "key.....",
> "auth-server-url": "https://sabdev_oms.brandpath.net/auth",
> "ssl-required": "external",
> "resource": "oms-web",
> "credentials": {
> "secret": "secret"
> },
> "use-resource-role-mappings": true
> }
>
>
>
> regards
> /--/
> /Emil Posmyk
>
> /
>
> 2016-05-31 14:26 GMT+02:00 Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>>:
>
> How is "auth-server-url" in your keycloak.json configured? If
> you're using relative URI, then you can maybe try to use absolute
> URI and see if it help?
>
> Marek
>
>
> On 31/05/16 14:19, Emil Posmyk wrote:
>> Hello
>>
>> I'm reciving error when I try login to our application:
>> ClientProtocolException: URI does not specify a valid host name:
>> https:/auth/realms/Brandpath/protocol/openid-connect/token
>> Http protocol is working fine, no errors, but using https I
>> recive each time uri without host name.
>> Auth page is working fine.
>>
>> What can cause that error ?
>>
>>
>> 14:59:22,937 ERROR
>> [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>> task-2) failed to turn code into token:
>> org.apache.http.client.ClientProtocolException: URI does not
>> specify a valid host name:
>> https:/auth/realms/Brandpath/protocol/openid-connect/token
>> [Server:ms-server1] at
>> org.apache.http.impl.client.CloseableHttpClient.determineTarget(CloseableHttpClient.java:94)
>> [Server:ms-server1] at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>> [Server:ms-server1] at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
>> [Server:ms-server1] at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
>> [Server:ms-server1] at
>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
>> [Server:ms-server1] at
>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)
>> [Server:ms-server1] at
>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)
>> [Server:ms-server1] at
>> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)
>> [Server:ms-server1] at
>> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>> [Server:ms-server1] at
>> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
>> [Server:ms-server1] at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
>> [Server:ms-server1] at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
>> [Server:ms-server1] at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
>> [Server:ms-server1] at
>> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
>> [Server:ms-server1] at
>> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
>> [Server:ms-server1] at
>> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>> [Server:ms-server1] at
>> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
>> [Server:ms-server1] at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> [Server:ms-server1] at
>> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
>> [Server:ms-server1] at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
>> [Server:ms-server1] at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> [Server:ms-server1] at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>> [Server:ms-server1] at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>> [Server:ms-server1] at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> [Server:ms-server1] at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> [Server:ms-server1] at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> [Server:ms-server1] at
>> org.wildfly.mod_cluster.undertow.metric.RunningRequestsHttpHandler.handleRequest(RunningRequestsHttpHandler.java:69)
>> [Server:ms-server1] at
>> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
>> [Server:ms-server1] at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>> [Server:ms-server1] at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>> [Server:ms-server1] at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>> [Server:ms-server1] at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> [Server:ms-server1] at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> [Server:ms-server1] at java.lang.Thread.run(Thread.java:745)
>>
>> /
>> regards/
>> /--/
>> /Emil Posmyk
>> /
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
9 years, 11 months
Async request/response processing at Keycloak
by Bystrik Horvath
Hello community,
I found that (since 1.9.2?) there's RealmResourceProvider that gives me the
possibility to provide own REST endpoint. After implementing the endpoint
using async capabilty of jax-rs, I'm getting exception like:
UT010026: Async is not supported for this request, as not all filters or
Servlets were marked as supporting async.
How is it possible to tweak Keycloak (I'm currently on 1.9.3) to
asynchronously respond to my requests in implementation of
RealmResourceProvider?
Thank you for any comment on this.
Best regards,
Bystrik
9 years, 11 months
Help : Problem with CORS - Spring boot - Angular 2
by Cyril Casaucau
Hello,
I have a problem to secure my webservice REST.
I have a spring boot application who is a Webservice REST and an angular 2
application who call the webservice.
I'm using the keycloak-spring-security-adapter with this configuration :
@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter
{
/**
* Registers the KeycloakAuthenticationProvider with the
authentication manager.
*/
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(keycloakAuthenticationProvider());
}
/**
* Defines the session authentication strategy.
*/
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Override
protected void configure(HttpSecurity http) throws Exception
{
super.configure(http);
http
.authorizeRequests()
.antMatchers("/userFacade*").hasRole("user")
.anyRequest().permitAll();
}
}
And i have configured CORS in the spring boot config like this :
@Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurerAdapter() {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/userFacade/**")
.allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
.allowedOrigins("*").allowedHeaders("Authorization", "Content-Type",
"X-Requested-With");
}
};
}
The endpoint :
@RestController
@RequestMapping("/userFacade")
public class UserFacade {
@Autowired
private UserService userService;
@RequestMapping(method = RequestMethod.GET, value = "/getAllUsers")
public List<UserDTO> getAllUsers() {
return userService.getAllUsers();
}
}
When i make the call on the frontend, chrome tell me this :
XMLHttpRequest cannot load http://localhost:8080/userFacade/getAllUsers.
The request was redirected to 'http://localhost:8080/', which is disallowed
for cross-origin requests that require preflight.
My headers on the frontend side :
this.headers.append('Authorization', 'BEARER ' +
localStorage.getItem('token'));
this.headers.append('Content-Type', 'application/json');
this.headers.append('X-Requested-With', 'XMLHttpRequest');
I have tried a lot of things like using the keycloak-spring-boot-adapter
but same kind of error.
Can you help me ?
Thanks,
Best regards,
9 years, 11 months
Keycloak integration with REST service
by Mike Love
Hi Jim,
I would suggest that you achieve this integration using a custom User Federation Provider.
You would need to implement UserFederationProviderFactory & UserFederationProvider
I have an outstanding blog to write re implementing a custom user federation provider.
If you need additional assistance, let me know and I will try to prioritise this
Regards,
Mike
--
www.symbiotics.co.za
********************************************************************************
This email and any accompanying attachments may contain confidential and
proprietary information. This information is private and protected by law
and, accordingly, if you are not the intended recipient, you are requested
to delete this entire communication immediately and are notified that any
disclosure, copying or distribution of or taking any action based on this
information is prohibited.
Emails cannot be guaranteed to be secure or free of errors or viruses. The
sender does not accept any liability or responsibility for any
interception, corruption, destruction, loss, late arrival or incompleteness
of or tampering or interference with any of the information contained in
this email or for its incorrect delivery or non-delivery for whatsoever
reason or for its effect on any electronic device of the recipient.
********************************************************************************
9 years, 11 months
