October 2017 - keycloak-user - Jboss List Archives

PolicyEnforcer always requires all defined scopes as 'required'

by sahlex

Hi. I try to get warm with keycloak. So I created a test project that uses KeycloakOIDCFilter to secure a servlet requset (a vaadin UI). Basically it's working. Now I want to add some portions of the UI only visible to users granted permission to a certain scope. So I set up: * client (named test-context) is configured for authorization * A resource (admin-ui) with associated scopes urn:test-project:article:view and urn:test-project:article:create. * two realm roles: admin and user * two users (test, admin), one of them (test) having role user, the other (admin) having both admin and user roles * auth settings: policy enforcement mode: enforcing (also added "policy-enforcer": {} in keycloak.json) * Two policies: - Admin policy: type role, roles: admin (required) - User policy: type role, roles: user * Two scope permissions bound to the resource admin-ui. - Article Create Permission: resource: admin-ui, scopes: urn:test-project:article:create, policy: Admin policy, unanimous - Admin UI View Permission: resource: admin-ui, scopes: urn:test-project:article:view, policy User policy, unanimous * A resource permission granting access to the resource itself using Default Permission (js, grant all) Admin user is working fine and testing for scope membership using authzClient is working fine as well. However, when I try to access the page with user 'test', the user is denied access due to AbstractPolicyEnforcer. In method authorize() it always passes the requiredScopes variable to isAuthorized(...). This variable is ALWAYS filled with all scopes assiciated for the resource. These are taken from the pathConfig, which always yields both associated scopes. Of course, user 'test' has only granted permission to scope urn:test-project:article:view following the authorization set up, thus failing the grant although the evaluator is returning PERMIT with scopes (urn:testproject:article:view) as expected: { "jti": "8d805d7e-f2bf-485c-ad9e-9ca397903f6c", "exp": 1507127243, "nbf": 0, "iat": 1507126943, "aud": "test-context", "sub": "dccb9a67-5a45-4c15-bcee-3c1db26c16f0", "typ": "Bearer", "azp": "test-context", "auth_time": 0, "session_state": "6623b31b-9c5c-4e87-a882-21ab8d72c2a8", "acr": "1", "allowed-origins": [ "http://" ], "realm_access": { "roles": [ "uma_authorization", "user" ] }, "resource_access": {}, "authorization": { "permissions": [ { "scopes": [ "urn:testproject:article:view" ], "resource_set_id": "a9d034f3-0ea4-4c96-b314-6ce544bf01b8", "resource_set_name": "Admin UI" } ] }, "name": "Test Tester", "preferred_username": "test", "given_name": "Test", "family_name": "Tester", "email": "test(a)bla.de" } I'm using keycloak 3.2.1.FINAL on karaf 4.1.2. Please help! -- Sent from: http://keycloak-user.88327.x6.nabble.com/

6 years, 6 months

1
0
0 / 0

PolicyEnforcer always requires all defined scopes as 'required'

by alexander.sahler＠brodos.de

Hi. I try to get warm with keycloak. So I created a test project that uses KeycloakOIDCFilter to secure a servlet requset (a vaadin UI). Basically it's working. Now I want to add some portions of the UI only visible to users granted permission to a certain scope. So I set up: * client (named test‑context) is configured for authorization * A resource (admin‑ui) with associated scopes urn:test‑project:article:view and urn:test‑project:article:create. * two realm roles: admin and user * two users (test, admin), one of them (test) having role user, the other (admin) having both admin and user roles * auth settings: policy enforcement mode: enforcing (also added "policy‑enforcer": {} in keycloak.json) * Two policies: ‑ Admin policy: type role, roles: admin (required) ‑ User policy: type role, roles: user * Two scope permissions bound to the resource admin‑ui. ‑ Article Create Permission: resource: admin‑ui, scopes: urn:test‑project:article:create, policy: Admin policy, unanimous ‑ Admin UI View Permission: resource: admin‑ui, scopes: urn:test‑project:article:view, policy User policy, unanimous * A resource permission granting access to the resource itself using Default Permission (js, grant all) Admin user is working fine and testing for scope membership using authzClient is working fine as well. However, when I try to access the page with user 'test', the user is denied access due to AbstractPolicyEnforcer. In method authorize() it always passes the requiredScopes variable to isAuthorized(...). This variable is ALWAYS filled with all scopes assiciated for the resource. These are taken from the pathConfig, which always yields both associated scopes. Of course, user 'test' has only granted permission to scope urn:test‑project:article:view following the authorization set up, thus failing the grant although the evaluator is returning PERMIT with scopes (urn:testproject:article:view) as expected: { "jti": "8d805d7e‑f2bf‑485c‑ad9e‑9ca397903f6c", "exp": 1507127243, "nbf": 0, "iat": 1507126943, "aud": "test‑context", "sub": "dccb9a67‑5a45‑4c15‑bcee‑3c1db26c16f0", "typ": "Bearer", "azp": "test‑context", "auth_time": 0, "session_state": "6623b31b‑9c5c‑4e87‑a882‑21ab8d72c2a8", "acr": "1", "allowed‑origins": [ "http://" ], "realm_access": { "roles": [ "uma_authorization", "user" ] }, "resource_access": {}, "authorization": { "permissions": [ { "scopes": [ "urn:testproject:article:view" ], "resource_set_id": "a9d034f3‑0ea4‑4c96‑b314‑6ce544bf01b8", "resource_set_name": "Admin UI" } ] }, "name": "Test Tester", "preferred_username": "test", "given_name": "Test", "family_name": "Tester", "email": "test(a)bla.de" } I'm using keycloak 3.2.1.FINAL on karaf 4.1.2. Please help!

6 years, 6 months

1
0
0 / 0

PolicyEnforcer always requires all defined scopes as 'required'

by alexander.sahler＠brodos.de

Hi. I try to get warm with keycloak. So I created a test project that uses KeycloakOIDCFilter to secure a servlet requset (a vaadin UI). Basically it's working. Now I want to add some portions of the UI only visible to users granted permission to a certain scope. So I set up: * client (named test-context) is configured for authorization * A resource (admin-ui) with associated scopes urn:test-project:article:view and urn:test-project:article:create. * two realm roles: admin and user * two users (test, admin), one of them (test) having role user, the other (admin) having both admin and user roles * auth settings: policy enforcement mode: enforcing (also added "policy-enforcer": {} in keycloak.json) * Two policies: - Admin policy: type role, roles: admin (required) - User policy: type role, roles: user * Two scope permissions bound to the resource admin-ui. - Article Create Permission: resource: admin-ui, scopes: urn:test-project:article:create, policy: Admin policy, unanimous - Admin UI View Permission: resource: admin-ui, scopes: urn:test-project:article:view, policy User policy, unanimous * A resource permission granting access to the resource itself using Default Permission (js, grant all) Admin user is working fine and testing for scope membership using authzClient is working fine as well. However, when I try to access the page with user 'test', the user is denied access due to AbstractPolicyEnforcer. In method authorize() it always passes the requiredScopes variable to isAuthorized(...). This variable is ALWAYS filled with all scopes assiciated for the resource. These are taken from the pathConfig, which always yields both associated scopes. Of course, user 'test' has only granted permission to scope urn:test-project:article:view following the authorization set up, thus failing the grant although the evaluator is returning PERMIT with scopes (urn:testproject:article:view) as expected: { "jti": "8d805d7e-f2bf-485c-ad9e-9ca397903f6c", "exp": 1507127243, "nbf": 0, "iat": 1507126943, "aud": "test-context", "sub": "dccb9a67-5a45-4c15-bcee-3c1db26c16f0", "typ": "Bearer", "azp": "test-context", "auth_time": 0, "session_state": "6623b31b-9c5c-4e87-a882-21ab8d72c2a8", "acr": "1", "allowed-origins": [ "http://" ], "realm_access": { "roles": [ "uma_authorization", "user" ] }, "resource_access": {}, "authorization": { "permissions": [ { "scopes": [ "urn:testproject:article:view" ], "resource_set_id": "a9d034f3-0ea4-4c96-b314-6ce544bf01b8", "resource_set_name": "Admin UI" } ] }, "name": "Test Tester", "preferred_username": "test", "given_name": "Test", "family_name": "Tester", "email": "test(a)bla.de" } I'm using keycloak 3.2.1.FINAL on karaf 4.1.2. Please help!

6 years, 6 months

1
0
0 / 0

how to restrict saml authentication by group (or role)

by Michael Meier

hi all In my configuration users are members of groups like, "nextcloud", "xmpp", "mail", which specifies what services they are allowed to use. That works pretty well, when using LDAP, since it seems that all ldap authentication clients to provide a filter string, so I can filter by string. Unfortunately it seems, like not all saml authentication clients (service providers) do support to filter by groups. So I'd like in keycloak to restrict which users are allowed to authenticate over what client. So I want for example, that only users which are members of the group nextcloud are able to authenticate over the nextcloud saml client in keycloak. So keycloak will just negate an authenticate request for a user which is not member of a certain group for certain clients. But I can't find a way to do that, neither over groups nor rolls. Can somebody point me into the right direction? thanks a lot Michael

6 years, 6 months

1
0
0 / 0

Two browser tabs result in two access-/refresh tokens and accidental logout

by Anders KK

Hi guys, We run into an accidental logout when opening our application in a second tab in the browser. It seems that the second tab acquires its own access-/refresh token pair, however, the tabs share the session. Consequently, when the first tab needs to refresh its token, the refresh token is no longer valid, resulting in the first tab initiating a logout - and then the second tab only lives until token expiration, since refresh fails due to the first tab having ended the session. Looking into the js adapter code we got the impression that the tabs would share tokens through local storage - is this something we need to activate explicitly in the configuration? We have a setup with an Angular2 app making use of the Keycloak js adapter. We made use of the example provided with the 3.0.0 quickstarts, but modified the parameters for the init function: Thanks for the great effort put into Keycloak! Anders -- Sent from: http://keycloak-user.88327.x6.nabble.com/

6 years, 6 months

1
0
0 / 0

Good presentation to understand UMA spec

by Rafael T. C. Soares

I've found a very good (and funny) presentation slides explaining how UMA spec works... https://www.slideshare.net/Identiverse/introducing-uma-20-cis-2017 It's really a good reference if you are wants to understand how UMA works! Would be nice have that presentation referenced on Keycloak's Authorization Services guide pages [1] [1] http://www.keycloak.org/docs/3.3/authorization_services/topics/overview/t... -- Rafael T. C. Soares Solution Architect Red Hat Brazil rsoares(a)redhat.com M: +55-71-99616-9145 T: +55-11-3529-6096 Twitter: @redhatnews | LinkedIn: linkedin.com/company/red-hat | Facebook: facebook.com/RedHatInc

6 years, 6 months

2
1
0 / 0

web-context admin console

by Dennis de Vaal | Rovecom

When I curl -I http://test.domain.com/auth/admin I’m being redirected to http://test.domain.com/admin/master/console/ even though the web-context is set to /auth. Why is this? % curl -I http://test.domain.com/auth/admin HTTP/1.1 302 Found Content-Length: 0 Date: Wed, 04 Oct 2017 09:32:17 GMT Location: http://test.domain.com/admin/master/console/ Server: WildFly/10 X-Powered-By: Undertow/1 Content-Type: text/plain; charset=utf-8 I want to serve everything under /auth including the admin console. When I go to http://test.domain.com/auth/admin/master/console I’m getting 404’s, network errors etc. (index):12 GET http://test.domain.com/resources/2.5.5.final/admin/keycloak/lib/patternfl... net::ERR_ABORTED (index):13 GET http://test.domain.com/resources/2.5.5.final/admin/keycloak/lib/select2-3... net::ERR_ABORTED This path works though: http://test.domain.com/auth/resources/2.5.5.final/admin/keycloak/lib/sele... Keycloak is behind a reverse proxy (traefik). We are using the option: PathPrefixStrip which basically removes /auth from every request. Is there a way to set the correct relative url in keycloak? Proxy forwarding is enabled in standalone.xml Regards, Dennis de Vaal ----------------------------- Rovecom Dennis de Vaal | Rovecom webontwikkelaar Elbe 2, 7908 HB Hoogeveen Postbus 2126, 7900 BC Hoogeveen 0528 22 35 35 Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom. Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser. -----------------------------

6 years, 6 months

1
0
0 / 0

Returned mail: see transcript for details

by MAILER-DAEMON

The message could not be delivered

6 years, 6 months

1
0
0 / 0

Improvement required in password policy evaluation

by Shaikh Asrafali Anwarali

Hello, The Keycloak shows PASSWORD construction rule one at a time when it fail to adhere to it. For example : Applied password policy are : 1. specialChars 2. upperCase 3. passwordHistory 4. length 5. digits 6. notUsername 7. lowerCase If I set my password as "abcd" I get error message saying " there has to be special character" then I changed it to abcd@ After that I get message saying, there has to be 1 capital letter ... It goes on and one till all the policy is satisfied There is a requirement that all failure reasons should be displayed at once or at least show the configures password rules somewhere on this screen. On page I have all the data available, like in realm.passwordPolicy - have all the configured password policy data. But not sure how messages can be formulated so that internationalization is also maintained. Is there any way by which it can be achieve? Regards, Asraf Shaikh

6 years, 6 months

2
2
0 / 0

Fwd: Undeclared namespace prefix "dsig" - still a problem in keycloak 3.3.0 CR2.

by Michael Mok

Hi there In regards to issuee 4818 (https://issues.jboss.org/browse/KEYCLOAK-4818), we are still encountering issue with recognising dsig. 06:54:51,265 WARN [org.keycloak.saml.common] (default task-110) XML External Entity switches are not supported. You may get XML injection vulnerabilities. 09:19:31,939 ERROR [io.undertow.request] (default task-245) UT005023: Exception handling request to /auth/realms/demo/login-actions/first-broker-login: org.jboss.resteasy.spi.UnhandledExcept ion: java.lang.RuntimeException: java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "dsig" at [row,col {unknown-source}]: [1,914] at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException( ExceptionHandler.java:78) at org.jboss.resteasy.core.ExceptionHandler.handleException( ExceptionHandler.java:222) at org.jboss.resteasy.core.SynchronousDispatcher.writeException( SynchronousDispatcher.java:179) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java:422) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest( ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( KeycloakSessionServletFilter.java:90)

6 years, 6 months

1
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user October 2017