Performance Testing keycloak
by John D. Ament
Hi,
I wanted to put together some basic perf tests of keycloak. I'm logging in
as an admin and doing some basic create user operations.
I wrote a simple gatling script to do this work. One issue I'm seeing is
that gatling is grabbing the bearer header in the request. I was
wondering, do I need to send the bearer or can keycloak rely on the cookie
alone?
7 years, 10 months
Directs Grants API & OTP
by Stefan Schlesinger
Hello,
I’m using the Direct Grants API as authentication backend for our Radius server.
Currently I’m unable to determine whether an user already has an OTP token configured or not,
and thus our Radius server always prompts the user with an Access-Challenge dialog.
Users who haven’t configured an OTP token yet won’t be able to login, or in case I can work
around this issue, will at least be presented with a question for an OTP token, which they
are not aware of.
Is there a way how I could improve this? Eg. an API call, which authenticated OpenIDC
clients can trigger?
Best,
Stefan.
7 years, 10 months
Mobile Game Authentication Flow
by Mat Pataki
Hello!
I'm a developer at a mobile gaming company, and I'm trying to better
understand how/if KeyCloak fits within the paradigm that we have, and that
I believe also to be pretty typical in this space. At the moment I am
specifically interested in User Registration and Authentication. I should
say that I've spent a larger amount of time with the documentation before
turning here, so hopefully I'm not missing something completely obvious
(although I can't really rule that out!).
Third party identity providers such as facebook and google provide mobile
SDKs that are capable of completing the OAuth2 flow with their respective
identity platforms. In the end, our consuming mobile apps receive an access
token if all goes well. We send this token to our current custom backend
authentication solution which will validate them, obtain an ID from the
identity provider, and link that ID to our own internal ID for the user.
It's this backend component that I would like to replace with KeyCloak.
For reference, I see very similar code to this in the KeyCloak source, here
<https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...>,
which is encouraging!
The problem however, is that KC's social login flow, and seemingly the
custom SPI flows as well, all begin with the web based registration page.
For our use case, we would like to avoid directing our users away from our
app during this process, and in fact avoid performing the OAuth2 flow
between us and facebook, for example, entirely. This is something we have
today via these client SDKs.
Down the line we plan to use KeyCloak for it's more traditional use cases,
including securing our own micro serves and applications, but that's
assuming that we can solve this problem.
Any advice would be greatly appreciated! Thanks in advance!
Mat
7 years, 10 months
How to have multiple data sources?
by Danny Trunk
Hello,
I've followed the instructions from
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
But instead of changing the existing DS and provider, I simply added
another one:
<subsystem xmlns="urn:jboss:domain:datasources:4.0">
<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS"
pool-name="ExampleDS" enabled="true" use-java-context="true">
...
</datasource>
<datasource jndi-name="java:jboss/datasources/KeycloakDS"
pool-name="KeycloakDS" enabled="true" use-java-context="true">
...
</datasource>
<datasource jndi-name="java:jboss/datasources/myproject"
pool-name="myproject" enabled="true" use-java-context="true">
<connection-url>jdbc:postgresql://192.168.XX.XX/myproject</connection-url>
<driver>postgresql</driver>
<pool>
<max-pool-size>20</max-pool-size>
</pool>
<security>
<user-name>myproject</user-name>
<password>password</password>
</security>
</datasource>
</datasources>
</subsystem>
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
...
<spi name="connectionsJpa">
<provider name="default" enabled="true">
...
</provider>
<provider name="myproject" enabled="true">
<properties>
<property name="dataSource"
value="java:jboss/datasources/myproject"/>
<property name="initializeEmpty" value="false"/>
<property name="migrationStrategy" value="validate"/>
</properties>
</provider>
</spi>
...
</subsystem>
That's because I want to set the datasource per realm (If that's possible?).
Now I can't find this connection provider in the admin console. Only the
default is listed in Server Info > Providers.
Server Version: 2.5.1.Final
By the way: This DS configuration is a mess. It would be much more user
friendly to simply add a database provider and configure them through
the admin console.
7 years, 10 months
User's groups in authz policy
by Alexey Kazakov
Hi,
Is there a way to grand permissions to some resource if the user belongs
to some group in general and in a JS policy in particular?
Thanks.
7 years, 10 months
Does Policy Evaluation Tool Support Client Roles?
by Jeremy Majors
When I'm testing my policies using the Policy Evaluation Tool, I am unable to get the administration application to return any client based roles so that I can test that scenario (currently it only allows me to specify realm based roles). Is this because we shouldn't be testing the client based roles or does the tool simply not support that feature yet.
My setup is as follows:
* ?No roles are defined at the realm level
* Client has defined 2 roles (read/write)
* Policy has been setup to allow reading for specific client (using client role). The client role 'read' is required
* Permission has been setup to associate the policy with a particular resource's authorization scope.
I setup all of the roles under the client so that I don't pollute the realm roles with application specific settings, but potentially that isn't how keycloak is supposed to be used.
?
Thanks,
Jeremy
Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of my firm shall be understood as neither given nor endorsed by it.
7 years, 10 months
Clustering Keycloak via TCP
by John D. Ament
Hi
I was wondering, has Keycloak been tested using Wildfly 10.1 TCP based
Jgroups? I'm told that the TCP ports are lazy, and I'm never seeing them
come up. It looks like Keycloak doesn't have a war file, no web.xml and as
a result no distributable flag.
John
7 years, 10 months
SAML Broker configuration based on SAML/Broker examples leads to client_not_found error
by Dmitry Korchemkin
I was trying to set up two SAML keycloak idp's, based on basic SAML and
broker examples provided with keycloak.
Using broker example as a reference, i added an IDP to saml-demo client. In
this IDP i changed Single Sign-On Service URL to the uri of the second
realm - http://localhost:8080/auth/realms/saml-broker-realm/protocol/saml,
just like in the broker example.
In saml-broker-realm i configure SAML client identically to the broker
example.
When i try to log in using this new configuration by pressing a new button,
i get the following error: type=LOGIN_ERROR, realmId=saml-demo, clientId=
http://localhost:8080/auth/realms/saml-demo, userId=null,
ipAddress=10.0.2.2, error=client_not_found.
I tried googling the issue, but all the answers seem to be linked to
keycloak.json, which indeed is not used by SAML example, as far as i can
tell.
Am i right in my assumption that this configuration will not work by
definition due to keycloak.json missing, or this error may be caused by
something else?
7 years, 10 months
bearer auth only in keyclaok secured rest API(node js)
by Saransh Kumar
Hello,
I have used bearer auth only in my REST API, and I am sending an
Authorization Bearer header in GET request from the front end.
*Protect.js*
......
return function protect (request, response, next) {
if (request.kauth && request.kauth.grant) {* // Line 2*
if (!guard || guard(request.kauth.grant.access_token, request,
response)) {
return next();
}
return keycloak.accessDenied(request, response, next);
}
........
*When I am invoking protect.js in my GET request:-*
router.get('/', cors(), keycloak.protect(), function (req, res, next) { }
Line 2, which is the if statement is turning out to be false, so* I wanted
to know why is request.kauth and request.kauth.grant returning false?*
Thanks in advance
Saransh
7 years, 10 months
