Admin client backward compatibility issue (2.5 -> 3.2)
by Skorupa, Sascha
Hi all,
we have currently a problem with upgrading to keycloak 3.2.1. All our clients use keycloak admin client 2.5.5 and it seems that they do not work with server 3.2.1 without setting JsonIgnore property somehow. The reason is the new "access" property in UserPresentation class. It is in general hard to migrate to newer keycloak versions if there are changes that are not backward compatible.
The issue is similar to https://issues.jboss.org/browse/KEYCLOAK-5159 but vice versa. Here the proposal is to migrate server side first.
We try to fix our clients by setting a JacksonProvider with a custom object mapper to the KeycloakBuilder but unfortunately same behaviour. (like here https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar...)
Does anyone have an idea how we can solve it ?? Upgrading clients is not an option at the moment because we use wildfly swarm and the keycloak fraction is still on 2.5.5.
Cheers,
sascha
6 years, 6 months
Group user property for SAML client authentication
by Min Han Lee
Hello Guys,
I'm currently trying to set up a SAML authentication via Keycloak to pull
the group attribute, I was wondering if anyone knows the keyword for the
client user property to pull the group value? for example, to pull the
email attribute, the keyword for the property box will be 'email', how
about the group? apparently, it wasn't 'group'
Any help is much appreciated
6 years, 6 months
set idp alias
by Cristóvão Cordeiro
Hi,
is it possible to change the users' IdP alias during
authentication/registration?
Best regards,
*Cristóvão Cordeiro*
6 years, 6 months
Execution order of required actions
by Martin Hardselius
Is there a way to order execution of required actions? Eg. I want to
display a "Welcome" message, but only after the user has accepted Terms &
Conditions.
Cheers,
Martin
6 years, 6 months
Problem with Oracle sql
by mzmien
Hi All!
I'm trying to "generate" raw sql file for the latest keycloak 3.3.0.CR2, but without connection to the database (Oracle). Is't possible?
Every time, I'm trying to start standalone.sh I'm getting an error:
caused by: java.net.ConnectException: Connection refused
My standalone.xml
<cut>
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" jta="true" use-java-context="true">
<connection-url>
jdbc:oracle:thin:@127.0.0.1:1521:ORCLCDB
</connection-url>
<driver>
oracle
</driver>
<security>
<user-name>username</user-name>
<password>password</password>
</security>
<new-connection-sql>select * from dual</new-connection-sql>
</datasource>
</cut>
In drivers section:
<cut>
<driver name="oracle" module="com.oracle.db">
<xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class>
</driver>
</cut>
and strategy options:
<cut>
<properties>
<property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
<property name="initializeEmpty" value="false"/>
<property name="migrationStrategy" value="manual"/>
<property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
</properties>
</cut>
I'm expecting keycloak-database-updata.sql file...
Thanks!
Regards,
Mike
6 years, 6 months
MS Authenticator and Duo also work for TOTP
by Peter K. Boucher
I scanned the OTP code presented by Keycloak using Google Authenticator,
Microsoft Authenticator, FreeOTP, and Duo, and they all produce the same
6-digit TOTP for the same time-frames.
Is there some reason the Keycloak docs only say to use Google Authenticator
or FreeOTP?
Thanks!
Regards,
Peter K. Boucher
6 years, 6 months
failover scenario
by Sud Ramasamy
Hi Keycloak devs/users,
We are trying to wrap our heads around how we might deploy Keycloak in a PROD with DR failover topology and are running into a concern with the client secret being different between the clusters.
We have two separate Keycloak clusters with their own databases for our PROD and DR datacenters. As part of initial one-time client setup when we register the client in the PROD cluster we also register the same client in our DR cluster. The configuration for the client is identical between the two clusters except for the client secret which is generated by Keycloak.
When there is a DR event for Keycloak (either failure or scheduled maintenance) we have the ability to repoint the URL for the PROD Keycloak to the DR Keycloak cluster. We don’t change anything else. Unfortunately the PROD clients will not be able to establish SSO with the DR cluster because the client secret is different.
We’ve considered instead of using the Keycloak APIs to register the client in both clusters (thereby having different client secrets) to register the client in one cluster and use database scripts to push the same configuration to the other cluster database and thereby keep the secrets the same.
I was wondering if others have run into this limitation and how you may have solved for it. Also we are on Keycloak 2.5 (for RH-SSO support purposes). This might be addressed in the upcoming release of Keycloak with multi-datacenter support. But that is currently not an option for us.
Thanks in advance for your insight.
-sud
6 years, 6 months
manipulate IdP attributes in authentication script
by Cristóvão Cordeiro
Hi,
I'd like to know if it is possible to add a Script execution to "first
broker login" and somehow manipulate (set/see/etc...) the user's IdP
information?
I'm asking this cause my Identity Provider is a federation (like eduGAIN),
and I am having issues when users use the same credentials in 2 different
IdPs...in Keycloak all attributes will be the same except the
identity_provider_id which will cause a conflict (violates unique_id
constraint) with the already existing user account in Keycloak, which
already has a link to that Keycloak IdP (which in practice is a federation).
Best regards,
Cris
6 years, 6 months
Username enumeration
by Gregoire Jeanmart
Hello,
One of our customers ran a penetration tests on our platform which uses Keycloak as Identity & Access Management system.
The penetration result was good except a medium issue that could result a large discovery of usernames.
Let me explain the steps to reproduce this:
1. Login to the system with valid credentials
2. Copy the execution parameter [%EXECUTION%] from the POST authenticate HTTP request
https://%KEYCLOAK%/auth/realms/%REALM%/login-actions/authenticate?code=%CODE%&execution=%EXECUTION%&client_id=%CLIENT_ID%
3. Copy the AUTH_SESSION_ID cookie [%AUTH_SESSION_ID%] from the POST authenticate HTTP request
4. Execute the POST authenticate HTTP request again with the execution parameter %EXECUTION% and AUTH_SESSION_ID cookie %AUTH_SESSION_ID%
POST /auth/realms/%REALM%/login-actions/authenticate?code=%CODE%&execution=%EXECUTION%&client_id=%CLIENT_ID% HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: AUTH_SESSION_ID=%AUTH_SESSION_ID%
Cache-Control: no-cache
Body: username=%USERNAME%&password=123&login=Log+in
5. From the HTML response (Invalid username or password) extract the code %CODE% (because unique) from the form action
<div id="kc-form" class="col-xs-12 col-sm-12 col-md-12 col-lg-12 login">
<div id="kc-form-wrapper" class="">
<form id="kc-form-login" class="form-horizontal" action="https://%KEYCLOAK/auth/realms/%REALM%/login-actions/authenticate?code=%CODE%&execution=%EXECUTION&client_id=%CLIENT_ID%" method="post">
<div class="form-group">
<div class="col-xs-12 col-sm-12 col-md-4 col-lg-3">
<label for="username" class="control-label">Username</label>
6. Replay the step 4 and 5 and change the username in the body part.
We can then distinguish a pattern:
- Screenshot: https://imgur.com/a/pwtPH
If the user is an existing username, the response time 3 - 4 time longer than if the user doesn't existing (whatever the password). So with this method I could enumerate all the usernames in the system using a dictionary and a brute force attack.
The Keycloak Brute Force Attack detection doesn't prevent this as it only locks out user for a given username.
Ideal solution:
If Keycloak could prevent this behaviour by making sure the elapsed time of computation for login in is approximately the same for an existing or non-existing user.
Alternative Solutions:
Alternative solution is to use fail2ban to block an IP when this kind of behaviour is detected.
Thanks.
Gregoire Jeanmart
6 years, 6 months
Load testing and performance
by Thelo
Hi,
As we are currently load testing Keycloak to see whether it could be a good
fit in our system, we experience trouble to reach good performance for the
user login.
In our current set up we do direct login via password against Keycloak and
we get around 30 user logins per second.
Here is our current set up:
- 4 instances of Keycloak ( 1 CPU / 800MB of memory each, running in
Kubernetes)
- 1 Postgres db in AWS RDS with 20GB of SSD storage, 2 vCPU and 8GB of
memory
As it is hard to believe that one instance can only handle 10 requests per
second we were wondering if someone had done similar tests and if you would
be willing to share the results / test configuration .
Many thanks,
Thelo
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
6 years, 6 months
