Managing the attack surface of Keycloak
by John D. Ament
Hey,
So, a very high level question, and any insight you guys may have would
help.
We're looking to potentially deploy keycloak as a part of a public cloud
application to support authentication to our applications based on security
settings our tenants may use, which may include talking back to their
internal LDAPs, our LDAP, our database, or their hosted SAML solutions.
We're not looking to expose this UI to them, so they would never need to
login other than visiting the login page to access our applications. Are
there any mitigation strategies for reducing the attack surface of
keycloak? I saw that you had brute force detection available, in addition
to using public/private key pairs to do API authentication. I'm wondering
if there's any more security levels that could be leveraged? Does reducing
the amount of API endpoints accessible publically make sense in this
scenario? If so, what endpoints would need to be there to support
authentication?
John
9 years, 10 months
Is it possible to partial import an User Federation provider?
by Vincent Sluijter
Hello,
I'm trying to 'partial' import a json with an User Federation provider containing ldap configuration to connect to Active Directory, but the import keeps failing with the message "No resouces specified to import". Is it even possible to import a single user federation provider using the partial import function?
This message is subject to the following E-mail Disclaimer. (http://www.crv4all.com/disclaimer-email/) CRV Holding B.V. seats according to the articles of association in Arnhem, Dutch trade number 09125050.
9 years, 10 months
SAML Setup
by Marque Davis
Hi,
I’m working on moving SAML auth in one app into Keycloak. Since we have many clients hitting our existing API, we don’t want to change the external API. Instead we need to proxy through to Keycloak. I have a SAML test harness that generates the SAML doc and redirects to KC, but I constantly get a staleCodeError int he logs and the following error on the page it redirects to.
WE'RE SORRY ...
This page is no longer valid, please go back to your application and login again
I’ve setup an Identity Provider named “saml” and pointed my test app to the Redirect URI (http://192.168.99.100:10080/auth/realms/demo/broker/saml/endpoint). Config screenshot attached (if it isn’t stripped from email)
Am I doing something wrong, or is this just not a use case Keycloak is designed for?
[cid:7826F03C-D253-46FA-904F-ADC09DFAA111]
9 years, 10 months
Email Html template does not work... I guess
by Beljaev Aleksandr
Hello everyone.
I'm trying to send html-emails from keycloak administration console to some user, but this user gets only plain text messages.
As I see in sources, keycloak can work with html, but I don't know how to switch on this option.
Even if I'm trying to write html in text template, messages are still only text, but with html-tags.
Example for executeActions:
Template html:
<html>
<body>
${msg("executeActionsBodyHtml",link,linkExpiration,realmName)}
</body>
</html>
Template text:
<html>
<body>
<p>${msg("executeActionsBody",link,linkExpiration,realmName)}</p>
</body>
</html>
Template message:
executeActionsBody=PlainTextMessage
executeActionsBodyHtml=<p>HtmlTextMessage</p>
Recived email:
<html>
<body>
<p> PlainTextMessage </p>
</body>
</html>
What am I doing wrong?
How could I configure KeyCloak to send html messages with template from themes/{theme name}/email/html?
Aleksandr Belyaev,
QA engeneer,
Center of Financial Technologies,
e-mail: A.Beljaev(a)ftc.ru<mailto:A.Beljaev@ftc.ru>
http://www.cft.ru<http://www.cft.ru/>
[cid:InlineMailImage_6944a6d1aaad40e886cadb18d509edf8.gif]
9 years, 10 months
Absolute links in admin pages
by Pål Oliver Kristiansen
Hi!
We are trying to install Keycloak on a server behind a BigIP SSL
terminator. Keycloak is running within a Docker container on a different
server.
But trying to open the Administration Console fails because all the links
within the markup are absolute links which is resolved to
http://localhost:9555/auth/...
So both the scheme and the hostname is wrong.
Questions:
Why are these links absolute? Is there a way to configure this to be
relative links?
Or, if they must be absolute, is there a way to configure the links to
become correct?
>From what I can gather, this is the line where the absolute link is
resolved:
https://github.com/keycloak/keycloak/blob/5c98b8c6ae7052b2d906156d8fc212c...
Thanks!
9 years, 10 months
Apache or other webserver adapter
by Okie Oth
Hello,
I wonder if there is a way to protected static webserver ressources with
keycloak. I have a Apache Adapter in mind but I can't find anything
about this topic.
Kind regards
Eiko
9 years, 10 months
SSO between apps with different protocol
by Rafael T. C. Soares
Hi!
I have one common realm (eg: demo-realm) with two client apps under it:
- 1st app using SAML protocol - hosted in app srv 1 (tomcat)
- 2nd app using Keycloak default OpenID Connect - hosted in app srv 2
(JBoss EAP)
What I need to do in order to enable SSO between these both apps?
I tried log in in the 1st one and them tried to access the 2nd one, but
the SSO does not works :-/
--
___
Rafael T. C. Soares
9 years, 10 months
(no subject)
by Gareth Healy
I am trying to secure a URL with KeyCloak, backed by Kerberos. I've
followed the below link, but sadly not not seeing what i would expect.
-
https://github.com/keycloak/keycloak-documentation/blob/master/topics/jbo...
The exploded war web.xml contains:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<listener>
<listener-class>io.apiman.gateway.platforms.war.listeners.WarGatewayBootstrapper</listener-class>
</listener>
<!-- Gateway Servlet -->
<servlet>
<servlet-name>GatewayServlet</servlet-name>
<servlet-class>io.apiman.gateway.platforms.war.servlets.WarGatewayServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>GatewayServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>apiman-gateway</web-resource-name>
<url-pattern>/apiman-gateway/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
And the keycloak.json file in the WEB-INF folder contains:
{
"realm": "apiman",
"realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyG61ohrfJQKNmDA/ePZtqZVpPXjwn3k3T+iWiTvMsxW2+WlnqIEmL5qZ09DMhBH9r50WZRO2gVoCb657Er9x0vfD6GNf/47XU2y33TX8axhP+hSwkv/VViaDlu4jQrfgPWz/FXMjWIZxg1xQS+nOBF2ScCRYWNQ/ZnUNnvrq8dGC2/AlyeYcgDUOdwlJuvgkGlF0QoVPQiRPurR3RwlG+BjL8JB3hbaAZhdJqwqApmGQbcpgLj2tODnlrZnEAp5cPPU/lgqCE1OOp78BAEiE91ZLPl/+D8qDHk+Maz0Io3bkeRZMXPpvtbL3qN+3GlF8Yz264HDSsTNrH+nd19tFQIDAQAB",
"auth-server-url": "https://reuxgbls359:8443/auth",
"ssl-required": "none",
"resource": "apiman-gateway",
"public-client": true
}
When i hit the URL, i see the below debug:
2016-06-02 13:20:10,460 DEBUG [org.keycloak.adapters.PreAuthActionsHandler]
(default task-43) adminRequest
https://reuxgbls359:8443/apiman-gateway/bp/mapping/1.0?wsdl
2016-06-02 13:20:10,461 DEBUG
[org.keycloak.adapters.undertow.ServletSessionTokenStore] (default task-43)
session was null, returning null
2016-06-02 13:20:10,461 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-43) there
was no code
2016-06-02 13:20:10,461 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-43)
redirecting to auth server
2016-06-02 13:20:10,462 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-43)
callback uri: https://reuxgbls359:8443/apiman-gateway/bp/mapping/1.0?wsdl
2016-06-02 13:20:10,463 DEBUG
[org.keycloak.adapters.AuthenticatedActionsHandler] (default task-43)
AuthenticatedActionsValve.invoke
https://reuxgbls359:8443/apiman-gateway/bp/mapping/1.0?wsdl
But i never get redirected to the auth/login page.
Any ideas what i am doing wrong?
--
Gareth Healy
UKI Middleware Consultant
Red Hat UK Ltd
200 Fowler Avenue
Farnborough, Hants
GU14 7JP, UK
Mobile: +44(0)7818511214
E-Mail: gahealy(a)redhat.com
Registered in England and Wales under Company Registration No. 03798903
9 years, 10 months
Re: [keycloak-user] Keycloak integration with REST service
by Jim Dillon
It looks like a custom User Federation Provider in needs to be created in
order to access a REST Service for user information and an Authentication
Provider to authenticate against a REST Service.
I've looked at the example User Federation Provider that uses a static file
and the Authentication Provider examples which enforce secret question /
answer flow. I have a better understanding of what needs to be
accomplished, but I'm still quite a ways from where I need to be.
Can anyone point me in the direction of an example User Federation Provider
and / or an Authentication Provider that uses a REST Service? (Google
hasn't found any examples for me.)
Is there more documentation to be found on these subjects other than the
inline code comments, User Manual, and github based docs?
Could I possibly be making it more difficult than it is, do I simply need
to substitute http requests for file i/o in the User Federation Provider
example?
The Flow (as I understand it, please confirm / correct as needed):
1. User lands on Keycloak login page and initiates login
2. User does not exist in Keycloak
3. REST API is asked to authenticate via Authentication Provider SPI
4. User is authenticated
5. REST API is asked for user information to create user in Keycloak
(part of this process would need to decrypt the existing password and then
encrypt it using Keycloak's "default" method.)
6. User is created in Keycloak and any further authentication /
authorization logic will remain "in house"
Thank you for your time,
jim
9 years, 10 months
