Key Id and syncing with JWKS file
by Sud Ramasamy
We have a Java application (the client) that is secured using Spring Security and the Keycloak Spring Security adapter. It is talking to Keycloak as the OIDC provider. The client is registered in Keycloak and secured with Signed Jwt as the Client Authenticator and using the JWKS URL pointing to a location where we host the JWKS file.
The Key Id (kid) value for the key in the JWKS file must match the value that the client side Keycloak adapter is sending to Keycloak. Which makes sense. The client side adapter is using the KeyUtils.createKeyId() method to construct the Key Id. I’ve copy pasted the method below:
public static String createKeyId(Key key) {
try {
return Base64Url.encode(MessageDigest.getInstance(DEFAULT_MESSAGE_DIGEST).digest(key.getEncoded()));
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
I don’t see a way to specify the Key Id value to use in the Keycloak adapter’s JSON configuration file. Instead it appears that when we build out the JWKS file we need to use the above logic to populate the Key Id value. Is this true? Or do we need an enhancement for the Keycloak adapter to support a key id parameter/value in the configuration file.
Thanks in advance.
-sud
6 years, 6 months
Re: [keycloak-user] Mapping provider user ID to user attribute
by Ruh, Garret
Following up here, we’re still running into this issue. Without the ability to map IDP identifiers to user attributes (and then inject that attribute into the access token), migrating from single-IDP auth to Keycloak-brokered auth becomes fairly difficult, as existing data stores still use the original IDP’s identifier.
Any thoughts or pointers to relevant documentation are much appreciated.
Garret Ruh
On 10/17/17, 6:25 PM, "keycloak-user-bounces(a)lists.jboss.org on behalf of Ruh, Garret" <keycloak-user-bounces(a)lists.jboss.org on behalf of garret.ruh(a)optum.com> wrote:
Context: Using Keycloak as an OpenID Connect identity broker, and onboarding an IDP.
Is it possible to map a provider user ID (from an OpenID Connect identity provider – so the value in the sub claim) to a user attribute? Have attempted using an "Attribute Importer" mapper w/ claim "sub" to no avail. End goal is to include that attribute (if it exists) in generated access tokens so that applications can still reference the provider user ID during a transitional period.
Seems like it’d be a pretty common use case, so apologies if this has been asked and answered before. Could be missing the applicable search term(s).
Regards,
Garret Ruh
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
6 years, 6 months
Spring Boot/Keycloak IE11 compatibility
by Kuestermann, Thomas
Folks,
We're currently developing a Spring Boot [1] application that uses Keycloak & Spring Security [2] for authentication and authorization. Everything fine so far, the Keycloak login page is displayed when the user accesses the application. I feel a bit ashamed, but it had to happen at some point: We need to support the beloved IE11, yay! What happens with IE is that the login page is not displayed as a HTTP 401 is returned to the browser instead of a HTTP 302. I tracked it down to "org.keycloak.adapters.springsecurity.authentication.HttpHeaderInspectingApiRequestMatcher" checking for the MIME type "text/html" in the HTTP Accept header. Unfortunately, my IE sends something like this in the request:
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap,*/*
According to the Mozilla Docs [3], MIME type "*/*" matches everything including "text/html" required by the request matcher.
My question is the following as it is easy to work around and fix: Is it worth filing an issue with Keycloak? I also feel confident enough to provide a pull request.
Regards,
-- Thomas
[1] http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/java/spring...
[2] http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/java/spring...
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept
6 years, 6 months
FW: Spring Boot/Keycloak IE11 compatibility
by Kuestermann, Thomas
Hah, thanks for the that! I’m thankful it’s open source.
From: Sebastien Blanc [mailto:sblanc@redhat.com]
Sent: Donnerstag, 26. Oktober 2017 10:36
To: Kuestermann, Thomas <Thomas.Kuestermann(a)sabre.com<mailto:Thomas.Kuestermann@sabre.com>>
Cc: keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Spring Boot/Keycloak IE11 compatibility
Hi,
Looks like a ticket as been opened yesterday for the same problem with a Pull Request as well :)
https://issues.jboss.org/browse/KEYCLOAK-5679
and
https://github.com/keycloak/keycloak/pull/4587
Please, feel free to comment on the PR as well
Seb
On Thu, Oct 26, 2017 at 10:28 AM, Kuestermann, Thomas <Thomas.Kuestermann(a)sabre.com<mailto:Thomas.Kuestermann@sabre.com>> wrote:
Folks,
We're currently developing a Spring Boot [1] application that uses Keycloak & Spring Security [2] for authentication and authorization. Everything fine so far, the Keycloak login page is displayed when the user accesses the application. I feel a bit ashamed, but it had to happen at some point: We need to support the beloved IE11, yay! What happens with IE is that the login page is not displayed as a HTTP 401 is returned to the browser instead of a HTTP 302. I tracked it down to "org.keycloak.adapters.springsecurity.authentication.HttpHeaderInspectingApiRequestMatcher" checking for the MIME type "text/html" in the HTTP Accept header. Unfortunately, my IE sends something like this in the request:
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap,*/*
According to the Mozilla Docs [3], MIME type "*/*" matches everything including "text/html" required by the request matcher.
My question is the following as it is easy to work around and fix: Is it worth filing an issue with Keycloak? I also feel confident enough to provide a pull request.
Regards,
-- Thomas
[1] http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/java/spring...
[2] http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/java/spring...
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
6 years, 6 months
Securing Node.js stateless API
by Ariel Kogan
Hi guys,
I want to secure a Node.js API with Keycloak. As a first step, I only want
to allow requests of users with an open session in Keycloak.
I've followed the guide here,
http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/nodejs-adap...
However I don't want to use a session store as the API is stateless. Maybe
I'm missing something here. My route looks like,
router.use('/author', keycloak.protect(), author());
And my keycloak.json is below,
{
"realm": "testrealm",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "postman-client",
"credentials": {
"secret": "123a4567-abcd-12a4-987x-bb87f8f7f621"
},
"bearerOnly": true
}
When I make a request to my Node.js API, I always receive a 403 with the
message "Access denied". Te requests look like the below,
GET /api/v1/en/author/ariel HTTP/1.1
Host: localhost:8081
Authorization: Bearer [the token I got upon authentication]
Accept: application/json
I'll appreciate any pointers on this.
Thanks,
Ariel
6 years, 6 months
Reset Actions vs. Required Actions
by Richard
I'm a bit confused about the use of "Reset Actions". They look very
similar to Required Actions except that an email is sent to the user.
Most possible use-case scenarios can probably be done best with Required
Actions. In that case the user doesn't get an email and has to do the
action on next login.
I noticed that it works even before login (when I signed out and clicked
on forget password the actions came up). What's the reason for that, or
is that a bug?
The only use I can think of is, when an account is created from the
admin console and the admin wants to inform the user about it. In that
case a reset password email would + required actions would serve that
purpose. If that is the main intended purpose, I think the function is
not very clear and intuitive to use.
Also, the Reset Actions cannot be seen anywhere after the email is sent.
I would expect that they would be visible in the Required Actions.
It's not very well documented, so perhaps someone can tell a little more?
-- Richard
6 years, 6 months
Where can I find how popular each version is in production?
by Marie Bauer
Hi,
I'd like to know if or how I can find out, how popular each version of KeyCloak is and what would be the usecases and number of users the installation has to deal with. Are there any statistics anywhere?
I would like to get a feeling how stable the product is and how many people relay on it.
Thank you,
Marie
6 years, 6 months
Bearer only RESTful service accepts request also without a client configured in Keyclo
by Gunter Zeilinger
I have deployed 2 web-applications - one for the UI and one providing
RESTful Services - in one EAR in Wildfly 10, both secured by using the
JBoss EAP/Wildfly Adapter, the UI WAR with
<public-client>true</public-client>, and the RS WAR with
<bearer-only>true</bearer-only>, both with different values for the
client-id by <resource>xxxxx</resource>.
The UI application propagates the authentication to the REST Services
similarly as shown in https://github.com/keycloak/
keycloak/blob/master/examples/demo-template/customer-app/
src/main/java/org/keycloak/example/CustomerDatabaseClient.java . (The only
difference is that the access token is provided by the UI Application to an
Angular 2 client, which then directly invokes the RESTful services using
that token).
It works, but I realized, that it also works if there is no client with
matching id for the RESTful web-application configured in Keycloak. Is that
intended?
Thanks for any clarification,
Gunter
J4Care
6 years, 6 months
Realm roles
by Jeff Larsen
We are trying to use keycloak auth on a Spring Boot app as demonstrated on
this page:
https://developers.redhat.com/blog/2017/05/25/easily-secure-
your-spring-boot-applications-with-keycloak/
Everything works fine as long as I use client roles. However, our user base
is in Active Directory. We have successfully created a role mapper for the
realm to convert AD groups to realm roles. However, we can't get the above
example to work with realm roles. We intend to use the realm roles across
several clients so we don't want to map them to each client config
individually.
This documentation:
http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/
java/java-adapter-config.html
claims that the property use-resource-role-mappings controls whether client
or realm roles are used. However, whether that property is set to true or
false we are only seeing client resource roles work in the demo app.
We are using Keycloak 3.2.1.Final and setting the property in Spring as
keycloak.use-client-role-mappings = false. I'm especially frustrated
because the docs say it defaults to realm roles if the property is not
present and we're not seeing that behavior either.
Are we doing something wrong? What are we missing? Maybe a bug?
Thanks,
Jeff
6 years, 6 months
