OIDCFilterSessionStore
by Mohan.Radhakrishnan@cognizant.com
Hi,
I have some doubts. I am using spring boot. The servlet filter adapter actually uses sessions. Is that right ? I was thinking the token will be required for every Rest endpoint access. But unless I clear jsessionid it is not required. Have I understood this correctly ?
How do I get the claims from my implicit token ? Do I need the spring boot adapter ? Can I see an example combining implicit token and boot adapter ?
Thanks,
Mohan
This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.
8 years, 4 months
One click social-account linking widgets on website autheticated by Keycloak JS adapter
by Vlastimil Elias
Hi,
we have a requirement to implement 'One click social-account linking
widgets' on website autheticated by Keycloak JS adapter. To achieve this
a button would be placed on the website with the following flow:
1. User logs into the website (keycloak JS adapter)
2. User browser to a part of the site requiring social account linking
(site checks linking status of current user for given social login
provider based on info in token - we wrote our mapper for this)
3. User clicks on a button to link the required social account with his
Keycloak account
4. User is directed through the linking process (which is similar as
Social Link action in Account app)
5. User is returned to original page on successful account linking
(token in js client must be refreshed to contain actual info about
social links).
Is there any way how to achieve this? I tried to call JS client login
method with idpHint when user is logged in
(keycloak.login({"idpHint":"github"})), but it doesn't work as expected.
Thanks a lot in advance
Vlastimil
--
Vlastimil Elias
Principal Software Engineer
Red Hat Developer | Engineering
8 years, 4 months
How to implement this using Keycloak
by Rong Sang (CL-ATL)
Hi all,
I’m doing a POC using Keycloak. The normal authentication/authorization features work well, but I have the following requirement that cannot find a straightforward solution for. I hope some security experts in the mailing list can point me to the right direction.
Here is the requirement. A hospital has multiple units. Users should not have the access to patients in a unit that they are not authorized. I have one service that returns a list of patients across units. What’s the best way to set up authorization for this service?
As I said earlier, I cannot find a feature for me to implement this. Any idea is greatly appreciated.
Thanks,
Rong
8 years, 4 months
Unable to understand authorization/get it to work
by Ushanas Shastri
Hello,
This is my first post on this mailing list, and I've been evaluating Keycloak for a couple of days.
I've been unable to get Authorization to work the way I thought it should. Maybe I've not understood it right, and could do with some help. I am using the builtin Evaluation tool to check.
Here's my scenario:
I have a web based application, where we have typical CRUD operations being performed.
For e.g. the application maintains a list of Source from which we expect to receive data. Users have the ability to add, edit, view or delete a Source, provided the Sources belong to their Business Unit. Here's what I did in Keycloak.
- Created Source as a resource, with the 4 actions as scopes (add, edit, view and delete).
- Added a Role based Policy to a role called "ViewOnly"
- The ViewOnly role is mapped to users.
- Created a Scope based permission, where View is the only scope on the resource, attached to the ViewOnly policy.
Now, when I use the evaluation tool for scope "View", I get a permit, which is as expected.
I then check the evaluation tool for scope "Delete", I get a a message "Could not obtain any result for the given authorization request. Check if the provided resource(s) or scope(s) are associated with any policy." Is this as expected? Isn't this supposed to return a Deny since the Policy Enforcement Mode on the realm is "Enforcing". Is this just a UI message, indicating the same as a Deny?
Now, I add Delete as a scope to the same permission, and check on Delete scope in the evaluation tool, but I continue to get the same message as above. Shouldn't I be receiving a PERMIT now, as the same permission was modified to include the Delete Scope?
The summary is that if I have more than one scope added to the permission, the evaluation tool returns this message. If I have only one scope in a policy, it works for me.
What am I missing?
Regards, Ushanas.
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity
8 years, 4 months
How to remove a realm in KeyCloak?
by Martin Min
Is there a way to delete a realm in KeyCloak? In Admin Console, I only see
I can create,but can't delete. Is there a way to do that?
Thank you.
Martin
8 years, 4 months
Kerberos keytab in a Clustered KC setup
by Rafael T. C. Soares
Hi!
How should I generate my Kerberos keytab file to use in a KC clustered
domain (multiple hosts)?
I have to create a keytab for each KC Host? When I create the keytab I
have to inform the Service Principal (eg
'HTTP/myhost.example.com(a)MYDOM.COM'). But how the KC will know which
Service Principal it should use if I have different KC instances
distributed in different hosts? Is there a way to create a Service
Principal on a keytab that serves for the entire cluster regardless the
KC host instance?
Thanks in advance?
--
___
Rafael T. C. Soares
8 years, 4 months
Re: [keycloak-user] Implicit flow test
by Mohan.Radhakrishnan@cognizant.com
The messages that I see in the command-line are these.
If I comment
registration.addInitParameter("keycloak.config.file", "D:/OpenIDM/keycloak.json");
I see
15:13:03,404 WARN [org.keycloak.events] (default task-48) type=LOGIN_ERROR, rea
lmId=master, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_code
If I don't comment that line I see this. I am assuming in this case the filter is validating but don't know what this means.
13:37:34,896 WARN [org.keycloak.events] (default task-38) type=REFRESH_TOKEN_ER
ROR, realmId=master, clientId=Pearson, userId=f145fdaf-4c98-468f-bdd8-2a37e1e35b
b8, ipAddress=127.0.0.1, error=invalid_token, grant_type=refresh_token, refresh_
token_type=Refresh, refresh_token_id=48565291-f694-4961-8bc5-8f36910de464, clien
t_auth_method=client-secret
Thanks,
Mohan
From: Radhakrishnan, Mohan (Cognizant)
Sent: Friday, July 29, 2016 1:56 PM
To: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org>
Subject: Implicit flow test
Hi,
I am using keycloak-2.0.0.Final standalone server and I have enabled 'Implicit'
http://localhost:8080/auth/realms/Pearson/protocol/openid-connect/auth?re...
The URL shown above shows me the login page and redirects after obtaining the id_token and I get the proper output in the b rowser.
http://localhost:8000/keycloak/greeting/#id_token=eyJhbGciOiJSUzI1NiJ9.ey...
My filter configuration is this.
@Bean
public FilterRegistrationBean someFilterRegistration() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(keycloakOIDCFilter());
registration.addUrlPatterns("/keycloak/*");
registration.addInitParameter("keycloak.config.file", "D:/OpenIDM/keycloak.json");
registration.setName("keycloakOIDCFilter");
registration.setOrder(1);
return registration;
}
Is the id_token getting validated by the filter ? How do I know that it is ? Have I misunderstood the validation ? Logging for the filter or keycloak should be enabled. How ?
Thanks,
Mohan
This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.
8 years, 4 months
Multi tenancy -Groups
by Subrahmanyam BV
Hi, Here are few questions regarding Groups and multi tenancy approaches.
1. Assuming a scenario where one client (application) in keycloak to be accessible by couple of customers (customer 1 and customer 2). Then what is the possible approaches.
2. Can I have one realm per customer, in this case the client has to be duplicated against per realm and Keycloak.json file has to be updated every time when a new customer comes in.
3. If we have one realm and a group per customer, then I should be able to restrict the access (user management) per group.
Please suggest on this.
Regards,Subrahmanyam.
8 years, 4 months
Implicit flow test
by Mohan.Radhakrishnan@cognizant.com
Hi,
I am using keycloak-2.0.0.Final standalone server and I have enabled 'Implicit'
http://localhost:8080/auth/realms/Pearson/protocol/openid-connect/auth?re...
The URL shown above shows me the login page and redirects after obtaining the id_token and I get the proper output in the b rowser.
http://localhost:8000/keycloak/greeting/#id_token=eyJhbGciOiJSUzI1NiJ9.ey...
My filter configuration is this.
@Bean
public FilterRegistrationBean someFilterRegistration() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(keycloakOIDCFilter());
registration.addUrlPatterns("/keycloak/*");
registration.addInitParameter("keycloak.config.file", "D:/OpenIDM/keycloak.json");
registration.setName("keycloakOIDCFilter");
registration.setOrder(1);
return registration;
}
Is the id_token getting validated by the filter ? How do I know that it is ? Have I misunderstood the validation ? Logging for the filter or keycloak should be enabled. How ?
Thanks,
Mohan
This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.
8 years, 4 months
