Re: [keycloak-user] Brokering with OIDC and Direct Access Grant
by Marek Posolda
Not OOTB. You can create JIRA though (or search if JIRA already exists)
for better OOTB brokering support with the directGrant. But I guess we
are not going to add that in the near future unless there is bigger
demand for it...
Other option is, that for AngularJS you can use keycloak.js adapter. We
have examples for that in the example distribution. We have also support
for themes, so you can customize login page.
Marek
On 26/01/17 18:58, Alexander Chriztopher wrote:
> Thanks for all the tips Marek.
>
> Does this mean that for any Single Page Application where we do not
> want to take the user outside of the single application page to a
> login page there are no solutions with Keycloak when brokering ?
> Actually, this is our real use case. Our SPA (Angular JS) is
> configured with Keycloak A and we want users known by Keycloak B to be
> able to authenticate on our app but we don't want them to lose the
> context of the app by redirecting there navigator to another page.
>
> On Thu, Jan 26, 2017 at 9:35 AM, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>> wrote:
>
> We don't have brokering for directGrant flow though. You would
> need to code authenticator by yourself.
>
> Maybe I would do something like the authenticator where you can
> send the parameters like for example
> "grant_type=password&client_id=your-client&external_idp=true&external_username=john-from-kc-b&external_password=johnspassword"
> You will create new directGrant flow and you will put your
> authenticator to it. Your authenticator will then do something like:
> - Check if there is "external_idp=true" parameter. If not, then
> just passthrough to other authenticators in the chain to do
> classic directGrant login against "local" Keycloak server (like
> default directGrant flow do)
> - Then check the parameters external_username and
> external_passsword to login against your Keycloak B (Assuming you
> know where Keycloak B is and what is the desired clientId of
> Keycloak B to authenticate against it)
> - If authentication against Keycloak B successful, you will
> successfully finish the authenticator, so your client will receive
> the accessToken from Keycloak A, which can be used to access your API.
>
> You can take a look at existing Authentication SPI docs and
> examples and at the existing implementations of DirectGrant
> authenticators for the inspiration (ValidateUsername,
> ValidatePassword, ValidateOTP)
>
> Marek
>
>
> On 24/01/17 15:13, Alexander Chriztopher wrote:
>> What i need at the end is to be able to call an API protected by
>> Keycloak A with a user Known by Keycloak B.
>>
>> In another way what we want is to do is brokering but with Direct
>> Access Grant and not in the browser as it is described here in
>> the Keycloak documentation here :
>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/id...
>> <https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/id...>.
>> What would be the Direct Access Grant flow to achieve the same
>> thing ?
>>
>> On Tue, Jan 24, 2017 at 12:49 PM, Marek Posolda
>> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>>
>> We have support for identity brokering, but not sure if that
>> helps with your usecase. As if I understand correctly, you
>> have token for B and you want to access API protected by A
>> with the B-token, right?
>>
>> If you don't want to use multitenancy for some reason, I
>> think you may have to validate token by yourself and your
>> application side instead of using our adapters. As even if A
>> and B use the same publicKey for token verification, the
>> issuer in the B-Token will be different though, so our
>> adapter (which verifies the issuer) will fail.
>>
>> Also you can implement your own directGrant authenticator in
>> the Keycloak-A, which will allow you to authenticate with the
>> b-token (sent to it in some parameter) and then return you
>> back the a-token, which you can then validate. Defacto
>> exchange b-token for a-token. See Authentication SPI docs for
>> more details.
>>
>> Marek
>>
>>
>> On 24/01/17 12:14, Alexander Chriztopher wrote:
>>> Actually, we dont' want our API to know the B instance.
>>>
>>> Is there any other solution (am thinking about brokering
>>> between A and B and creating a client for instance B in
>>> instance A etc.) ?
>>>
>>> And yes, A and B are not in a cluster for organisation matters.
>>>
>>> On Tue, Jan 24, 2017 at 11:25 AM, Marek Posolda
>>> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>>>
>>> I assume that Keycloak instances A and B are not in
>>> cluster? If you can put them in cluster, you will have
>>> this supported OOTB.
>>>
>>> Also did you see our multitenancy feature and
>>> multi-tenant example? This allows that application (API)
>>> is protected by both instance A or B. So based on the
>>> token from the request, you will see if you should use
>>> keycloak A or B to validate token.
>>>
>>> Marek
>>>
>>>
>>> On 24/01/17 11:05, Alexander Chriztopher wrote:
>>>
>>> Hello,
>>>
>>> Am looking for the flow to get an access token with
>>> OIDC and 2 Keycloak
>>> instances (A and B).
>>>
>>> User is Known by instance B and gets an access token
>>> from instance B then
>>> needs to access an API protected with instance A.
>>>
>>> What would be the best way to do it ?
>>>
>>> Thanks for any help.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> <mailto:keycloak-user@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>>>
>>>
>>>
>>
>>
>
>
7 years, 11 months
user storage provider (Keycloak 2.5.0) deployed as war file: CDI does not work
by Matuszak, Eduard
Hello
It is not possible for me, to bring CDI (@Inject) to work in a user storage provider application (Keycloak 2.5.0), deployed as a war-file. The required beans.xml is placed correctly in the war-file and passed by Weld during deployment, but all injected objects are null.
Is this a known (and possibly perforced) behaviour, a (minor) bug or simply due to a missing trick?
Thanks in advance for a feedback, Eduard Matuszak
7 years, 11 months
Re: [keycloak-user] Brokering with OIDC and Direct Access Grant
by Marek Posolda
We don't have brokering for directGrant flow though. You would need to
code authenticator by yourself.
Maybe I would do something like the authenticator where you can send the
parameters like for example
"grant_type=password&client_id=your-client&external_idp=true&external_username=john-from-kc-b&external_password=johnspassword"
You will create new directGrant flow and you will put your authenticator
to it. Your authenticator will then do something like:
- Check if there is "external_idp=true" parameter. If not, then just
passthrough to other authenticators in the chain to do classic
directGrant login against "local" Keycloak server (like default
directGrant flow do)
- Then check the parameters external_username and external_passsword to
login against your Keycloak B (Assuming you know where Keycloak B is and
what is the desired clientId of Keycloak B to authenticate against it)
- If authentication against Keycloak B successful, you will successfully
finish the authenticator, so your client will receive the accessToken
from Keycloak A, which can be used to access your API.
You can take a look at existing Authentication SPI docs and examples and
at the existing implementations of DirectGrant authenticators for the
inspiration (ValidateUsername, ValidatePassword, ValidateOTP)
Marek
On 24/01/17 15:13, Alexander Chriztopher wrote:
> What i need at the end is to be able to call an API protected by
> Keycloak A with a user Known by Keycloak B.
>
> In another way what we want is to do is brokering but with Direct
> Access Grant and not in the browser as it is described here in the
> Keycloak documentation here :
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/id....
> What would be the Direct Access Grant flow to achieve the same thing ?
>
> On Tue, Jan 24, 2017 at 12:49 PM, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>> wrote:
>
> We have support for identity brokering, but not sure if that helps
> with your usecase. As if I understand correctly, you have token
> for B and you want to access API protected by A with the B-token,
> right?
>
> If you don't want to use multitenancy for some reason, I think you
> may have to validate token by yourself and your application side
> instead of using our adapters. As even if A and B use the same
> publicKey for token verification, the issuer in the B-Token will
> be different though, so our adapter (which verifies the issuer)
> will fail.
>
> Also you can implement your own directGrant authenticator in the
> Keycloak-A, which will allow you to authenticate with the b-token
> (sent to it in some parameter) and then return you back the
> a-token, which you can then validate. Defacto exchange b-token for
> a-token. See Authentication SPI docs for more details.
>
> Marek
>
>
> On 24/01/17 12:14, Alexander Chriztopher wrote:
>> Actually, we dont' want our API to know the B instance.
>>
>> Is there any other solution (am thinking about brokering between
>> A and B and creating a client for instance B in instance A etc.) ?
>>
>> And yes, A and B are not in a cluster for organisation matters.
>>
>> On Tue, Jan 24, 2017 at 11:25 AM, Marek Posolda
>> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>>
>> I assume that Keycloak instances A and B are not in cluster?
>> If you can put them in cluster, you will have this supported
>> OOTB.
>>
>> Also did you see our multitenancy feature and multi-tenant
>> example? This allows that application (API) is protected by
>> both instance A or B. So based on the token from the request,
>> you will see if you should use keycloak A or B to validate token.
>>
>> Marek
>>
>>
>> On 24/01/17 11:05, Alexander Chriztopher wrote:
>>
>> Hello,
>>
>> Am looking for the flow to get an access token with OIDC
>> and 2 Keycloak
>> instances (A and B).
>>
>> User is Known by instance B and gets an access token from
>> instance B then
>> needs to access an API protected with instance A.
>>
>> What would be the best way to do it ?
>>
>> Thanks for any help.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>>
>
>
7 years, 11 months
The best way to get the action of the login form
by Known Michael
Hey,
We start to create automation tests of our keycloak integration.
We have discovered that the action URL of the login form (the submit URL)
is generated each time.
Therefore we need to parse the login response to get the action from the
login from.
Can you suggest the better way to get the action of the login form?
If not: do you think the way of the action generation can be changed
significantly in the near future and all our test will fail?
7 years, 11 months
Logout in cluster environments
by Pulkit Gupta
Hi All,
I am running multiple applications deployed on a Jboss cluster with
infinispan used as a cache and for distributed sessions.
I verified and can see that session replication is working for a normal
application where I can see the same session on all the servers in the
cluster and hence the application is working fine without session
stickiness.
However when I am trying to use any Keycloak SAML client based application
it is only working if the request is going to a particular box in the
cluster. On all the other boxes we are getting errors.
>From this behavior I am concluding that somehow for Keycloak based
applications sessions are not getting replicated.
Both these applications has <distributable /> tag in them so I am not sure
why it is showing different behaviour.
I know we can fix this by just enabling session stickiness but we want the
sessions to be replicated as well.
This is because we want to make our set up more resilient. Also in case of
logout when Keycloak is sending a back channel logout request it amy send
it to any server in the cluster.
If the sessions are not properly replicated then the logout will fail as
the session will remain preserved on some other server in the cluster.
Can someone please suggest me something what to try.
--
Thanks,
Pulkit
7 years, 11 months
JWT discussion on microprofile.io list
by Scott Stark
Hey guys, can someone who is going to be involved with the JSR 375: JavaTM EE Security API effort comment on the use of the JSON Web Token (JWT) https://tools.ietf.org/html/rfc7519 as a means of propagating an authenticated subject and workflow roles.
There is a discussion about this that is in early stages over on the Microprofile.io google group:
https://groups.google.com/forum/#!topic/microprofile/gakCq7kSBsY
The last comment I made that you could critique was:
"
I think the minimum starting use case is that a user has a workflow that involves 2 or more micro services. They are using an IdP to produce a JWT that has a subject and workflow associated roles.
What they need is the ability to configure the micro services to:
1. accept that JWT is valid. This goes to defining acceptable signatures and encryption. A default implementation of a javax.security.auth.message.module.ServerAuthModule that illustrates this would be needed for a compatibility test.
2. Some security configuration definition that allows for the mapping of the subject and workflow roles into the security domains of the containers hosting the micro services.
It seems like the aud(iences) field of the token could be used for the purpose of the roles:
aud
REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
"
7 years, 11 months
How to configure KeycloakAuthorization on Angular2 Application
by Carlos Feria
Hi all, good morning. I am coding an Angular2 application and I need to
implement Authorization like this example on Keycloak
https://github.com/keycloak/keycloak/tree/master/examples/authz/photoz,
there are another example that indicates how to use Keycloak on Angular2
applications (
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/a...
)
My real problem is how to write responseError on Angular2? Have you ever
had this kind of problem?
This is the code(red code) that i want to pass to Angular2....please help
me.
module.factory('authInterceptor', function ($q, $injector, $timeout,
Identity) { return {
request: function (request) {
document.getElementById("output").innerHTML = '';
if (Identity.authorization && Identity.authorization.rpt && request.url.
indexOf('/authorize') == -1) {
retries = 0;
request.headers.Authorization = 'Bearer ' + Identity.authorization.rpt;
} else {
request.headers.Authorization = 'Bearer ' + Identity.authc.token;
}
return request;
},
responseError: function (rejection) {
var status = rejection.status;
if (status == 403 || status == 401) {
var retry = (!rejection.config.retry || rejection.config.retry < 1);
if (!retry) {
document.getElementById("output").innerHTML = 'You can not access or
perform the requested operation on this resource.';
return $q.reject(rejection);
}
if (rejection.config.url.indexOf('/authorize') == -1 && retry) {
var deferred = $q.defer();
// here is the authorization logic, which tries to obtain an authorization
token from the server in case the resource server
// returns a 403 or 401.
*Identity.authorization.authorize(rejection.headers('WWW-Authenticate')).then(function
(rpt) {*
* deferred.resolve(rejection);*
* }, function () {*
* document.getElementById("output").innerHTML = 'You can not access or
perform the requested operation on this resource.';*
* }, function () {*
* document.getElementById("output").innerHTML = 'Unexpected error from
server.';*
* });*
var promise = deferred.promise;
return promise.then(function (res) {
if (!res.config.retry) {
res.config.retry = 1;
} else {
res.config.retry++;
}
var $http = $injector.get("$http");
return $http(res.config).then(function (response) {
return response;
});
});
}
}
return $q.reject(rejection);
}
};
--
Carlos E. Feria Vila
7 years, 11 months
AuthenticationManager send back access_denied error when it should send server_error
by Cristi Cioriia
Hi guys,
The AuthenticationManager class handles failed required action by sending
an access_denied error message back to the client application, instead of a
server error, if the required actions detects that it cannot display the
required action page and marks the context as failed.
The use case I have is the following:
1) I have created and configured a required action that calls an external
service to retrieve some data. If that service fails, then I cannot display
the required action page to the user, so I call
context.failure().
2) Now, when the AuthenticationManager.executionActions method is called to
display the required action page, it detects that the status of the
required action context is FAILURE (line 641), so it doesn't display the
required action page, but instead it calls at line 647 the oidc protocol
like this:
Response response = protocol.sendError(context.getClientSession(),
Error.CONSENT_DENIED);
This creates a response for the client application with
error=access_denied, but in my opinion it should be wih server_error,
because the user didn't even have the chance to grant consent.
Isn't this how it should happen? I noticed that the server_error is not
returned to the client at all, as is only the default branch of a switch,
and it can't be reached at all, as the Error enum does not have a mapping
for it.
Looking forward for an answer.
Greetings,
Cristi
7 years, 11 months
