Organization Based Accounts and Permissions
by Charles Henck
Hello all,I’m working on an organization-based service and want to have resource-specific permissions that are restricted by (from a user perspective) organization-specific roles. Since I’m not familiar with the specific terminology, I’m thinking of something similar to how GitHub manages their permissions:- A single user can be a member of multiple organizations- A user can have a different roles with different organizations that grant them access to all of an organization's resources- A user can have access to a specific resource- That organization-specific role determines access to different organization resourcesAre there any best practices or patterns for this model? Thanks!Justin
6 years, 1 month
user storage ldap or keycloak
by Istvan Orban
Dear Keycloak users.
I am very new to keycloak and I really like it. it is great.
I am currently migrating a legacy app ( using it's own user management ) to
support SSO.
I have set-up keycloak with openid connect and it works very well. At this
point we need to decide
if we will use keycloak as our main user store or we will set-up an LDAP.
My question is that. Is keycloak designed in a way that it can fullfil all
the responsibilities of the main user store?
Any risk with this at all?
ps: our userbase is small and at this point I am not sure if we want to add
ldap just for this.
--
Kind Regards,
*----------------------------------------------------------------------------------------------------------------*
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *
6 years, 2 months
Best setup to extend Keycloak
by Francis Zabala
Hello,
What is the best setup to develop custom SPI for Keycloak. I just skimmed the example codes in github and wondered on how to test my codes. Not TDD way of testing but a simple, hey, will this run properly?
Anyway, the reason I need to extend this is to create an authentication flow that will use your internal SMS api for subscriber verification.
Regards,Francis
6 years, 9 months
How to stop the keycloak server from standalone sh
by Aritz Maeztu
Hello,
I'm running a keycloak instance from a docker image, so when I start the
container everything is up an running. Now I want to export the realms
and users to deploy it in production and I've got two chances:
1- Copy the values from the mysql database (I'm using the keycloak-mysql
image).
2- Run the standalone.sh export command.
I would like to go the second way, but I'm into trouble since the
widlfly server is launched with the docker container altogether. I can
browse in to it for the standalone.sh script, but still haven't found a
way to stop it (as the server is launched I get a "Address already in
use" error when I try to perform the export while the server is running).
Any ideas? Thanks in advance
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
6 years, 9 months
Offline tokens with external IDP
by Haim Vana
Hi,
We are using KeyCloak for a several weeks now, one of the flows is user script authentication with offline token:
1. The user log in to the UI
2. Generates offline token by entering his password again
3. Put the offline token in his script
4. Executes the script
Now we want to add external IDP support, first is it possible to generate offline tokens for extremal IDP in KeyCloak ? if so how ?
Second in section #2 above the user enters his password to generate the offline token, with external IDP we can't use his password, one alternative is to always generate the offline token in the login (add offline_access), however is it make sense to create offline token for every login ?
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
6 years, 10 months
User impersonation - JWT
by Harry Trinta
Dears,
I need a help with user impersonation on keycloak.
I am authenticating users through the
"/realms/test/protocol/openid-connect/token". As expected, it returns a
token JWT.
In my app, all requests go through apiman, which validates the JWT.
Now, I need to personification of user. I'm calling the service
"/admin/realms/test/users/USER_ID/impersonation", sending the token in the
header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...).
The service /impersonation creates the user session on keycloak, however
doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of personified
user instead of cookie.* It's possible?
Best regards
Harry Costa
6 years, 10 months
Refreshing Tokens
by Christopher Davies
I adding keycloak into a legacy application that uses GWT and Jetty.
I have managed to get add Keycloak application using Spring-security.
Because this is GWT I am doing the authorisation in the application myself.
Sping just provides a way to get access to the KeycloakSecurityContext.
The issue I have is refreshing the token. I can get hold of
a RefreshableKeycloakSecurityContext instance
and use that to get a refresh token. What surprised me is that I cannot
refresh a token if the roles have changed.
Is this correct. I was hoping that the application could notice the role
changes and adapt itself on the fly.
I do not want to have to logout to get the new roles it at all possible. Is
there something that I have overlooked that will allow
me to use the idToken to get a new accessToken given that the
authentication of the user is still valid, it is just the roles the user is
in that have changed.
Thanks
Chris
6 years, 10 months
Force token refresh with the Spring Security adapter
by Aritz Maeztu
I'm using keycloak in a java client, configured with the Spring Security
adapter.
I've got a custom mapper in my keycloak configuration, so when the
access token is refreshed, keycloak accesses an endpoint to retrieve
some user permissions and they're stored in the token itself. Later on,
my client application checks the token without having to perform the
access to the permission endpoint itself (increased performance).
However, when an admin user changes his own permissions, I would like
the keycloak adapter to refresh the token after the permissions are
stored, this way the admin user is not required to have its token
refreshed or to re-login to load his new permissions.
Is there a way to achieve it? Some kind of operation to refresh current
session's token?
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
7 years, 2 months
programmatic authentication flow
by Steve Favez
Hi all,
I'd like to implement the following use case. I need a Browser
authentication flow that will add, after User / Password Form
Authenticator, a kind of "access rules" authenticator, that will, according
to some request parameters, (for example, ip address, or application) will
add dynamically a second factor authenticator in the flow. (Like OTP or
SMS).
Furthermore, I'd like to be able to provide a choice of 2FA systems to the
end user (For example, we provide a set of second factory, and the end user
can choose the one he'd like to use).
So, if some "strong authentication" criteria are matched during browser
authentication process, after providing user and password, user will get a
form allowing him to choose the second factory system he'd like to use to
authenticate.
My goal is to be able to reuse existing authenticator. (So, not to write a
big 2fa authenticator with all authenticators duplicated inside).
Thanks in advance for your valuable input
Cheers
St
7 years, 3 months
